Enterprise Intrusion Detection System Architecture and Feature Overview

With rapid network technology development and expanding enterprise scale, companies face increasingly sophisticated intrusion threats, making it essential to detect whether a corporate network has been compromised.

Traditional security devices such as WAFs, firewalls, UTM, and vulnerability scanners can only detect known vulnerabilities or simple rule‑based attacks and cannot identify internal network penetration behaviors.

Existing intrusion detection systems (IDS) are divided into host‑based (HIDS) and network‑based (NIDS) solutions, but they often discover attacks only after they occur, lacking preventive capabilities.

Our solution enhances prevention by adding abnormal port monitoring, GitHub code‑leak monitoring, and automated CVE collection, integrated into a Security Operation Center (SOC) and Autohome Cyber Security Platform (ACSP) for data visualization, vulnerability tracking, and mobile app security compliance.

The architecture separates data collection (Agent) from analysis (Middle Service) to minimize impact on production servers; the display layer presents analysis results, alerts, and vulnerability management.

Key modules include:

Agent: selective data collection based on defined intrusion scenarios.

Middle Service: configuration control, user customization, file detection, port monitoring, CVE collection, GitHub monitoring, and data analysis with threat and log type classification.

Result storage: persisting port monitoring, file detection, and analysis outcomes in a local database.

Display: SOC/ACSP dashboards for vulnerability management, work‑order handling, and mobile security (coding standards and app scanning).

The design offers advantages such as isolation of collection and analysis, reduced risk of policy exposure, seamless policy updates, and avoidance of large data storage on agents.

Featured functions include full‑cycle agent file scanning, detailed vulnerability management with traceability, asset health visualization, and risk data statistics.

Future plans aim to expand data collection dimensions, build multiple detection models to lower false‑positive/negative rates, and continuously strengthen protection against evolving attacker techniques.