The IT Law Wiki
The IT Law Wiki

Definition[]

A Network Intrusion Detection System (NIDS) is

[s]oftware that performs packet sniffing and network traffic analysis to identify suspicious activity and record relevant information.[1]
used to identify and analyze communication traffic on a computer network and to identify unauthorized or malicious activity.[2]

Overview[]

There are two basic types of NIDSs:

  • Signature-based NIDSs are similar to antivirus and vulnerability scanners in that only known signatures are detected. The signatures are essentially strings of code known to be indicative of malicious traffic.
  • Anomaly-based NIDSs function on historically-based network traffic and alarm when traffic is outside of the expectations. Anomaly-based NIDSs require running a network to record known, good traffic to which to compare future traffic. The challenge for anomaly-based detection is defining what is normal. This makes it very difficult to establish a baseline if normal network behavior constantly changes. However, anomaly-based NIDSs work well for deterministic networks with few report-by-exception events.

References[]