The Four Types of Intrusion Detection Systems

  • The first type, and one of the most common, is the NIDS. The NIDS is designed to inspect every packet entering the network for the presence of malicious or damaging behavior and, when malicious activity is detected, throw an alert. The NIDS is able to monitor traffic from the router to the host itself. Much like a packet sniffer, an NIDS operates similar to a network card in promiscuous mode. In practice this type of IDS can take the form of a dedicated computer or the more common black box design (which is a dedicated device altogether).
  • The next major kind of IDS is the host-based intrusion detection system (HIDS), which is installed on a server or computer. An HIDS is responsible for monitoring activities on a system. It is adept at detecting misuse of a system, including insider abuses. Its location on a host puts the HIDS in close proximity to the activities that occur on a host as well as in a perfect position to deal with threats on that host. HIDSs are commonly available on the Windows platform but are found on Linux and Unix systems as well.
  • Log file monitors (LFMs) monitor log files created by network services. The LFM IDS searches through the logs and identifies malicious events. Like NIDSs, these systems look for patterns in the log files that suggest an intrusion. A typical example would be parsers for HTTP server log files that look for intruders who try well-known security holes, such as the phf attack. An example of a log file monitoring program is swatch.
  • File integrity checking mechanisms, such as Tripwire, check for Trojan horses or files that have otherwise been modified, indicating an intruder has already been there.