Definition[]
A Network Intrusion Detection System (NIDS) is
“ | [s]oftware that performs packet sniffing and network traffic analysis to identify suspicious activity and record relevant information.[1] | ” |
“ | used to identify and analyze communication traffic on a computer network and to identify unauthorized or malicious activity.[2] | ” |
Overview[]
There are two basic types of NIDSs:
- Signature-based NIDSs are similar to antivirus and vulnerability scanners in that only known signatures are detected. The signatures are essentially strings of code known to be indicative of malicious traffic.
- Anomaly-based NIDSs function on historically-based network traffic and alarm when traffic is outside of the expectations. Anomaly-based NIDSs require running a network to record known, good traffic to which to compare future traffic. The challenge for anomaly-based detection is defining what is normal. This makes it very difficult to establish a baseline if normal network behavior constantly changes. However, anomaly-based NIDSs work well for deterministic networks with few report-by-exception events.