Protocol-based intrusion detection System
From Wikipedia, the free encyclopedia
A Protocol-based Intrusion Detection System (PIDS), is a special category of an Intrusion-Detection System, and focuses its monitoring and analysis on the protocol or protocols in use by the computing system.
[edit] Overview
A PIDS will monitor the dynamic behavior and state of the protocol and will typically consists of a system or agent that would typically sit at the front end of a server, monitoring and analysing the communication protocol between a connected device (a user/PC or system) and the system it is protecting.
A typical place for a PIDS would at the front end of a web server monitoring the HTTP (or HTTPS) protocol stream and would understand the HTTP protocol relative to the web server/system it is trying to protect.
Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
[edit] Monitoring dynamic behavior
As a basic level PIDS would look for, and enforce the correct (legal) use of the protocol.
At a more advanced level the PIDS can learn or be taught acceptable constricts of the protocol, and thus better detect anomalous behaviour.