The present invention relates generally to the field of computer security, and also to data flow analysis.
An intrusion detection system (IDS) is a hardware device or software application that monitors a network or system for malicious activities or policy violations and reports on its findings. A HIDS, for example, may monitor all or part of the dynamic behavior and state of a computer system, including determining whether a given program should have access to particular system resources, whether certain file system objects or regions of memory have been modified, and whether incoming network packets contain malicious or otherwise unauthorized payloads.
IDSs may be network based (NIDS) or host based (HIDS), and may function cooperatively or be integrated with an intrusion prevention system (IPS, NIPS, HIPS, etc.) to form an active intrusion detection and prevention system (IDPS) rather than serving as just a passive monitoring tool. In an era where cybercrime is recognized as a significant and growing threat, these types of systems are in widespread use among businesses and organizations of all types and sizes. Some IDSs use Deep Packet Inspection (DPI) to permit early detection of potentially dangerous payloads in incoming network packets. With DPI, the contents of data packets are decoded and inspected to a depth beyond that normally analyzed at the networking layers (that is, beyond layers 2 and 3 of the Open Systems Interconnection (OSI) model).
Signatures are often employed by IDSs and antivirus software to detect computer viruses and other types of malware. Systems using signature-based detection search for known malicious patterns within data or executable code. Some systems may also use generic signatures or other heuristics to flag slight variations from known malicious patterns as also being potentially malicious.