Problem solve Get help with specific problems with your technologies, process and projects.

IDS options: Signature databases and heuristics

This tip details the differences between two defining IDS product features -- signature databases and heuristics -- and offers advice for choosing IDS solutions.

The following is the first tip in a two-part series on intrusion detection system (IDS) techniques. Part one below outlines basic IDS solution features. Part two will spotlight three types of IDS tools, and the pros and cons of using each.

Intrusion detection systems ( IDS) have become more popular and necessary as administrators realize that firewalls alone aren't enough to keep a network perimeter secure. While a firewall closes all unused ports, it can not secure ports that are intentionally left open to meet the operational requirements of an organization. For example, a company may leave open TCP Port 80 so HTTP traffic can reach the Web server. But how can it then protect against the countless HTTP-based exploits that exist? This is where an IDS comes in.

Basically, an IDS does for network traffic what an antivirus program does for the file system. Here I'll make comparisons between the two types of solutions, explaining how each comb networks for malicious activity using either signature databases and/or heuristics. In part two of this tip, I'll describe three different types of IDS solutions.

What is a signature database?
In an antivirus program, a signature database defines what particular viruses "look like." In an IDS, the signature database tells the system what type of network traffic patterns most commonly correspond to an attack. Although a signature database is most commonly used in an IDS solution, vendors are starting to incorporate heuristics as well.

What are heuristics?
In an antivirus program, heuristics watch the file system for virus-like activity. This method safeguards against new viruses for which signatures don't yet exist. Heuristics work similarly for IDS. The IDS learns over time what types of traffic patterns are considered normal for your network. The heuristics feature then watches for anomalies in the traffic pattern.

Almost all IDS solutions use signature databases, heuristics or some combination of the two. However, just as your network requires different types of antivirus software in order to remain secure over time, it also requires different types of IDS solutions. For example, you may run an antivirus program on every Windows workstation, every Windows server and a Web server. However, generally speaking, antivirus software designed for a workstation won't install on an operating system server or Web server -- you need unique tools for each. My point is just to keep in mind that different types of IDS tools handle different jobs, just as the various antivirus programs do.

In the second part of this tip, I'll detail the pros and cons of the three different types of IDS devices: network, host and application-based IDS.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Click for the conclusion of this two-part series: Choosing an intrusion detection system.

More information from

  • Article: Are identities safer on laptops than central databases?
  • Tip: Network perimeter defenses for smaller shops
  • Learning Guide: Authentication

  • Dig Deeper on Enterprise desktop management