6. Intrusion Detection System (IDS)

An IDS monitors logs and real-time events to detect suspicious activity, intrusion attempts, and some system failures.

It is a detection tool, not a replacement for firewalls or other security controls. When it detects suspicious activity, it sends alerts or alarms.

HIDS (Host-based IDS) monitors a single host. It checks local processes, logs, applications, and security events. It gives detailed visibility into that machine but only covers that one system.

NIDS (Network-based IDS) monitors network traffic. It detects suspicious patterns across the network and can cover large areas from central points. It cannot fully inspect encrypted traffic and may not show exactly what happened on a specific host.

SIEM collects and combines logs from many systems in one place so security teams can review events and identify threats more easily.

Main Idea
IDS detects suspicious activity on hosts or networks and alerts administrators so they can respond.