Jump to content

Protocol-based intrusion detection system

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Reedy (talk | contribs) at 20:30, 19 July 2006 (Limited spellcheck + unicode + minor fixes using mboverload's RegExTypoFix, Replaced: anomolous => anomalous, using AWB). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A Protocol-based Intrusion Detection System (PIDS), is a special category of an Intrusion-Detection System, and focuses its monitoring and analysis on the protocol or protocols in use by the computing system.

Overview

A PIDS will monitor the dynamic behavior and state of the protocol and will typically consists of a system or agent that would typically sit at the front end of a server, monitoring and analysing the communication protocol between a connected device (a user/PC or system) and the system it is protecting.

A typical place for a PIDS would at the front end of a web server monitoring the HTTP (or HTTPS) protocol stream and would understand the HTTP protocol relative to the web server/system it is trying to protect.

Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.

Monitoring dynamic behavior

As a basic level PIDS would look for, and enforce the correct (legal) use of the protocol.

At a more advanced level the PIDS can learn or be taught acceptable constricts of the protocol, and thus better detect anomalous behaviour.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Protocol-based_intrusion_detection_system&oldid=64725317"