Network intrusion detection system
Encyclopedia
A Network Intrusion Detection System (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....

 into computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...

s by Network Security Monitoring (NSM) of network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

 traffic.

A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. If, for example, a large number of TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...

 connection requests to a very large number of different ports
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...

 are observed, one could assume that there is someone conducting a port scan
Port scanner
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.A port scan or portscan is "An attack...

 of some or all of the computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...

(s) in the network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

. It also (mostly) tries to detect incoming shellcode
Shellcode
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in...

s in the same manner that an ordinary intrusion detection system does.

A NIDS is not limited to inspecting incoming network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

 traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

 or network segment
Network segment
A network segment is a portion of a computer network. The nature and extent of a segment depends on the nature of the network and the device or devices used to interconnect end stations.-Ethernet:...

, and are therefore not regarded as incoming traffic at all.

Often network intrusion detection systems work with other systems as well. They can, for example, update some firewalls' blacklist
Blacklist (computing)
In computing, a blacklist or block list is a basic access control mechanism that allows everyone access, except for the members of the black list . The opposite is a whitelist, which means allow nobody, except members of the white list...

 with the IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

es of computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...

s used by (suspected) crackers
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....

.

Certain DISA
Disa
Disa is the heroine of a Swedish legendary saga, which was documented by Olaus Magnus, in 1555. It is believed to be from the Middle Ages, but includes Old Norse themes....

 documentation, such as the Network STIG
Security Technical Implementation Guide
A Security Technical Implementation Guide or STIG is a methodology for standardized secure installation and maintenance of computer software and hardware. The term was coined by DISA who creates configuration documents in support of the United States Department of Defense...

, uses the term NID to distinguish an internal IDS instance from its outward-facing counterpart.

See also

  • Application protocol-based intrusion detection system
    Application Protocol-based Intrusion Detection System
    An application protocol-based intrusion detection system is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system.- Overview :...

     (APIDS)
  • Bro
    Bro (software)
    Bro is an open source Unix based Network intrusion detection system . It is released under the BSD license.Bro was originally written by Vern Paxson.-External links:* *...

    , an open source NIDS
  • Bypass switch
    Bypass switch
    A bypass switch is a hardware device that provides a fail-safe access port for an in-line monitoring appliance such as an intrusion prevention system , firewall, WAN optimization device or unified threat management system...

  • Honeypot
    Honeypot (computing)
    In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...

     (or Honeynet)
  • Host-based intrusion detection system
    Host-based intrusion detection system
    A host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...

     (HIDS)
  • Intrusion prevention system (IPS)
  • Protocol-based intrusion detection system
    Protocol-based intrusion detection System
    A protocol-based intrusion detection system is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the protocol in use by the computing system...

     (PIDS)
  • Snort
    Snort (software)
    Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...

    , an open source NIDS

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK