Abstract: The Intrusion Detection System (IDS ) in the network is like the automatic anti-theft alarm bell in the physical world , which monitors various activities in the surrounding area. There are two models, one is host-based IDS, and the other is network-based IDS. These two models are relatively similar. The core components are the communication flow collector, analysis engine, and feature database. The host-based IDS collects the log files and other key files of the machine, and the network-based IDS collects all the data packets flowing through the network segment. After the analysis engine obtains the data, it performs pattern matching with the records in the feature database to determine which behaviors are good and which behaviors are bad.
table of Contents
Host-based IDS:
Only focus on a single system, and usually do not see the activity of the surrounding network. Check log files, audit information, and network traffic entering and leaving the system.
Communication flow collector : collect error reports, log files and system files to select the content of interest, and transmit them to the analysis engine
Analysis engine : The most important part of IDS, because it determines which behaviors are "good" and which are "bad". It is a complex and sophisticated decision-making and pattern matching mechanism - he checks the information collected by the communication flow collector and tries to match them with the behavior patterns in the feature database . If the behavior matches a known pattern, the analysis engine responds, usually by issuing an early warning or alert.
Feature database : a collection of a series of behavior patterns, these behavior patterns are pre-defined in the database according to the identified and classified suspicious and malicious behavior patterns
User interface : It is the visual part of IDS and the part where the user interacts with the system.
Many organizations, after running host-based IDS for many years, have begun to find it difficult to tolerate the time, effort, and money spent maintaining IDS. Designers began to shift the focus of the system to the source of a large number of malicious traffic -the network itself.
Network-based IDS:
It only detects the traffic on the network connection, and cannot see the specific situation of a single system. It is necessary to check every data packet of the network connected to the network. Its structure is very similar to that of the host-based IDS.
At present, the most popular network IDS distribution method is to place IDS behind the firewall, so that due to the filtering of the firewall, too many alarms will not be generated
