Jump to content

Protocol-based intrusion detection system

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Gingerman50 (talk | contribs) at 10:48, 27 November 2009 (Removed the "protocol"s behind HTTP as is repetition as it is essentially saying HyperText Transfer Protocol protocol). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A protocol-based intrusion detection system (PIDS) is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the protocol in use by the computing system. A PIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting.

A typical use for a PIDS would be at the front end of a web server monitoring the HTTP (or HTTPS) stream. Because it understands the HTTP relative to the web server/system it is trying to protect it can offer greater protection than less in-depth techniques such as filtering by IP address or port number alone, however this greater protection comes at the cost of increased computing on the web server.

Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.

Monitoring dynamic behavior

At a basic level a PIDS would look for, and enforce, the correct use of the protocol.

At a more advanced level the PIDS can learn or be taught acceptable constructs of the protocol, and thus better detect anomalous behavior.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Protocol-based_intrusion_detection_system&oldid=328190423"