A protocol-based intrusion detection system (PIDS) is an

intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

which is typically installed on a web server, and is used in the monitoring and analysis of the

protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...

in use by the computing system. A PIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting. A typical use for a PIDS would be at the front end of a web server monitoring the

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...

(or

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

) stream. Because it understands the HTTP relative to the web server/system it is trying to protect it can offer greater protection than less in-depth techniques such as filtering by

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

port number In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific ...

alone, however this greater protection comes at the cost of increased computing on the web server. Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web

presentation layer In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. Description Within the service layering semantics of the OSI netw ...

Monitoring dynamic behavior

At a basic level a PIDS would look for, and enforce, the correct use of the protocol. At a more advanced level the PIDS can learn or be taught acceptable constructs of the protocol, and thus better detect anomalous behavior.

Monitoring dynamic behavior

See also