Protocol-based intrusion detection system
From Wikipedia, the free encyclopedia
A protocol-based intrusion detection system (PIDS) is an intrusion detection system that focuses its monitoring and analysis on the protocol or protocols in use by the computing system.
[edit] Overview
A PIDS will monitor the dynamic behavior and state of the protocol and will typically consists of a system or agent that would typically sit at the front end of a server, monitoring and analysing the communication protocol between a connected device (a user/PC or system) and the system it is protecting.
A typical place for a PIDS would at the front end of a web server monitoring the HTTP (or HTTPS) protocol stream and would understand the HTTP protocol relative to the web server/system it is trying to protect.
Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
[edit] Monitoring dynamic behavior
As a basic level PIDS would look for, and enforce the correct (legal) use of the protocol.
At a more advanced level the PIDS can learn or be taught acceptable constricts of the protocol, and thus better detect anomalous behaviour.
[edit] See also
- Intrusion detection system (IDS)
- Network intrusion detection system (NIDS)
- Host-based intrusion detection system (HIDS)
- Application protocol-based intrusion detection system (APIDS)
- Tripwire (software) - a pioneering HIDS
- Trusted Computing Group
- Trusted platform module