Intrusion detection system
crackers or automated attack tools, by identifying security breaches such as incoming shellcode, viruses, malware or trojan horses transmitted via computer system or network.
This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion-prevention system, and is another form of an application layer firewall.
Three main types of Intrustion Detection Systems exist:
- A Host-based Intrusion Detection System consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, and host activities.
- A Network Intrusion Detection System is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or Signature-Based Intrusion Detection System identifies intrusions by watching for patterns of traffic or application data presumed to be malicious. These type of systems are presumed to be able to detect only 'known' attacks. However, depending on their rule set, signature-based IDSs can sometimes detect new attacks which share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP GET request.
- An Anomaly-Based Intrusion Detection System identifies intrusions by notifying operators of traffic or application content presumed to be different from 'normal' activity on the network or host. Anomaly-based IDSs typically achieve this with self-learning.
See also
