Wikipedia

Protocol-based intrusion detection system: Difference between revisions

Browse history interactively
Content deleted Content added
VisualWikitext
Simmondp (talk | contribs)
315 edits
No edit summary
 
Restore
 
(25 intermediate revisions by 18 users not shown)
Line 1:
{{More sources needed|date=July 2024}}
A '''Protocol-based Intrusion Detection System (PIDS)''', is a special category of an [[Intrusion detection system|Intrusion-Detection System]], and focuses its monitoring and analysis on the protocol or protocols in use by the computing system.
A '''protocol-based intrusion detection system''' ('''PIDS''') is an [[intrusion detection system]] which is typically installed on a [[web server]], and is used in the monitoring and analysis of the [[Communications protocol|protocol]] in use by the computing system. A PIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting.
 
A typical use for a PIDS would be at the front end of a web server monitoring the [[HTTP]] (or [[HTTPS]]) stream.<ref>{{Cite web |date=2023-04-19 |title=What is an Intrusion Detection System (IDS)? {{!}} IBM |url=https://www.ibm.com/topics/intrusion-detection-system |access-date=2024-07-09 |website=www.ibm.com |language=en-us}}</ref> Because it understands the HTTP relative to the web server/system it is trying to protect it can offer greater protection than less in-depth techniques such as filtering by [[IP address]] or [[port number]] alone, however this greater protection comes at the cost of increased computing on the web server.
== Overview ==
A PIDS will monitor the dynamic behavior and state of the protocol and will typically consists of a system or agent
that would typically sit at the front end of a server, monitoring and analysing the communication protocol between a connected device (a user/PC or system) and the system it is protecting.
 
Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is [[Cryptography|un-encrypted]] and immediately prior to it entering the Web [[presentation layer]].
A typical place for a PIDS would at the front end of a web server monitoring the HTTP (or HTTPS) protocol stream and would understand the HTTP protocol relative to the web server/system it is trying to protect.
 
=== Monitoring dynamic behavior ===
Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
AsAt a basic level a PIDS would look for, and enforce, the correct (legal) use of the protocol.
 
At a more advanced level the PIDS can learn or be taught acceptable constrictsconstructs of the protocol, and thus better detect anomolousanomalous behaviourbehavior.
=== Monitoring dynamic behavior ===
As a basic level PIDS would look for, and enforce the correct (legal) use of the protocol.
 
At a more advanced level the PIDS can learn or be taught acceptable constricts of the protocol, and thus better detect anomolous behaviour.
 
==See also==
* [[IntrusionApplication protocol-based intrusion detection system]] (APIDS)
* [[networkHost-based intrusion detection system|Network Intrusion Detection System]] (HIDS)
* [[Host-based intrusionIntrusion detection system]] (IDS)
* [[application protocol-basedNetwork intrusion detection system|Application Protocol-based Intrusion Detection System]] (NIDS)
* [[Tripwire (software)]] - a pioneering HIDS
* [[Trusted Computing Group]]
* [[Trusted platform module]]
 
==References==
[[Category:Security software]]
{{Reflist}}
[[Category:System administration]]
 
{{DEFAULTSORT:Protocol-Based Intrusion Detection System}}
[[Category:Intrusion detection systems]]
[[Category:SecurityWeb server management software]]
 
[[es:PIDS]]
Retrieved from "https://en.wikipedia.org/wiki/Protocol-based_intrusion_detection_system"