Intrusion detection is the practice of identifying inappropriate, unauthorized, or malicious activity in computer systems. Systems designed for intrusion detection typically monitor for security breaches perpetrated by external attackers as well as by insiders using the computer system or a computer network. As computer systems become increasingly interconnected through networking, intruders and attackers are provided with greater opportunities for gaining unauthorized access while avoiding detection. As a result of widespread cooperative use of shared computing resources, for example in corporate network environments, intrusion detection systems (IDS) are commonly tasked with monitoring complex system organizations and detecting intrusions to network segments including multiple computing machines and/or devices.
FIG. 1 illustrates a simple computing network, for example in a business office, which includes multiple electronic machines and/or devices of various types, such as personal computers 105, office workstations 110, mass storage subsystems and servers 115, and printers/copiers/fax machines 120. The various devices are connected through a network to form an integrated environment in which information can be generated, accessed and shared among the legitimate users of the business environment. In such a network, a potential intruder can attempt to compromise any of a number of interconnected machines and/or devices in order to gain access to the network 100 as a whole.
In order to detect such attack attempts, some existing implementations of IDS install a host-based sensor at each of the machines within the network to be monitored. Such host-based intrusion detection system (HIDS) sensors are typically loaded in software onto a host system such as a computer to monitor the traffic (some of which may be encrypted) going in and out of the host. Anomalous traffic patterns or known attack signatures could signal an external attack on the host, an unauthorized use originating from the host, or an internal attack originating from an infected or otherwise compromised host. Some HIDS sensors may also monitor files and processes internal to the host system to watch for suspicious use of the host itself. If known suspicious activity is detected at the host, some HIDS will typically generate an alert to be sent throughout the network as a notification of a detected intrusion.
Other existing forms of IDS focus monitoring on an entire network segment rather than on individual hosts. Such network-based intrusion detection systems (NIDS) are typically installed as physical devices positioned at locations within the network where they can monitor all network traffic entering and exiting the network segment. For example, a NIDS sensor is often implemented as a physical NIDS device 140 placed just behind a firewall 160 protecting a network segment 100, as illustrated in FIG. 1, such that all traffic going in and out of the network segment must pass through and be scanned by the NIDS. The NIDS typically operates at the lower layers of the protocol stack to watch for suspicious network traffic patterns such as connection attempts to known frequently attacked ports, anomalous combinations in packet headers, and known attack signature patterns in unencrypted packets.
In addition to intrusion detection, some network security systems also incorporate intrusion protection systems (IPS) which are capable of reacting to detected security breaches to protect the network. For example, a network-based IPS could drop suspicious unencrypted packets or block a suspected intruder from communicating with the network. A host-based IPS could prevent unauthorized changes to files or code residing on the host system, and could deny access to the host by suspicious users or applications.