Editing Intrusion detection system

== Definitions ==

An '''intrusion detection system''' ('''IDS''') is

{{Quote|[a] [[software application]] that can be [[implement]]ed on [[host]] [[operating system]]s or as [[network device]]s to [[monitor]] activity that is associated with [[intrusion]]s or [[insider attack|insider misuse]], or both.<ref>[[NIST Special Publication 800-47]], at D-2.</ref>}}

{{Quote|[a] [[security services|security service]] that [[monitor]]s and [[analyze]]s [[network]] or [[system]] events for the purpose of finding, and providing [[real-time]] or [[near real-time]] warning of, attempts to [[access]] [[system resources]] in an [[unauthorized]] manner.<ref>[[NIST Special Publication 800-82]], at B-4.</ref>}}

== Overview ==

{{Quote|Intrusion detection systems detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Security event correlation tools monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred. Computer forensic tools identify, preserve, extract, and document computer-based evidence.<ref>[[Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats]], at 22 n.20.</ref>}}

An IDS collects [[information]] on a [[network]], analyzes the [[information]] on the basis of a preconfigured rule set, and then responds to the analysis. IDS ensure that unusual activity such as new open [[port]]s, unusual [[traffic]] patterns, or changes to critical [[operating system]] [[file]]s is brought to the attention of the appropriate [[security]] personnel.

The [[implementation]] of an IDS might be valuable for the following reasons:

* Prevent problem behaviors by increasing risk of discovery and punishment for [[system]] [[intruder]]s
* Detect [[attack]]s and other [[security]] violations that are not prevented by other [[security measures]]
* Detect preambles to [[attack]]s ([[network probe]]s and other tests for existing [[vulnerabilities]])
* Document the existing [[threat]] to the organization
* [[Quality control]] for [[security design]] and administration
* Provide useful information about methods used in [[intrusion]]s.

== Type of Intrusion detection systems ==

There are three common types of IDS, classified by the source of information they use to detect [[intrusion]]s: network-based, host-based, and application-based.  

* '''Network-based IDSs''' detect [[attack]]s by capturing and analyzing [[network packet]]s. When placed in a [[network]] segment, one network-based IDS can monitor the [[network traffic]] that affects multiple [[host]]s that are connected to that [[network]] segment. Network-based IDSs often consist of a set of single-purpose [[sensor]]s or [[host]]s, placed at various points in a [[network]]. These units [[monitor]] [[network traffic]], performing local analysis of that [[traffic]] and reporting attacks to a central management console. Because these [[sensor]]s are limited to [[run]]ning the IDS [[application]] only, they can more easily be [[secure]]d against [[attack]]s. Many of these [[sensor]]s are designed to [[run]] in “[[stealth mode]]," making it more difficult for an [[attacker]] to detect their presence and location.
  
* '''Host-based IDSs''' collect [[information]] from within an individual [[computer system]] and use that [[information]] to detect [[intrusion]]s. [[Host]]-based IDSs can determine exactly which processes and [[user]] accounts are involved in a particular attack on the [[system]]. Furthermore, unlike [[network]]-based IDSs, [[host]]-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly [[access]] and [[monitor]] the [[data file]]s and [[system]] processes that are usually targeted by attacks. [[Host]]-based IDSs normally use two types of information sources: [[operating system]] [[audit trail]]s and [[system log]]s. [[Operating system]] [[audit trail]]s are usually generated at the innermost level of the [[operating system]]; therefore, these trails are more detailed and better protected than [[system log]]s. Some [[host]]-based IDSs are designed to support a centralized IDS management and reporting [[infrastructure]] that can allow a single management console to [[track]] many [[host]]s. Others generate messages in formats that are [[compatible]] with a [[network]] management system.

* '''Application-based IDSs''' are a special subset of [[host]]-based IDSs that analyze the events occurring within a specific [[software application]]. The most common information sources used by [[application]]-based IDSs are the [[application]]'s [[transaction log file]]s. Because they directly [[interface]] with the [[application]] and use [[application]]-specific knowledge, [[application]]-based IDSs can [[detect]] the actions of [[authorized user]]s who are attempting to [[exceed authorized access|exceed their authorization]]. This is because such problems are more likely to appear in the [[interaction]] among the [[user]], the [[data]], and the [[application]].

An additional type of IDS is a

* '''Protocol-based Intrusion Detection System''' ('''PIDS''') is associated with a [[component]] rather than the [[network]]. Typically it would reside between a [[server]] and a [[connected]] [[device]] and [[analyze]] [[communication protocol]]s between the two. A variation of PIDS is the "Application Protocol-based Intrusion Detection System."

== References ==
<references />
[[Category:Software]]
[[Category:Security]]
[[Category:Definition]]