Changes

* ''Network-based IDS'' - A network-based IDS is solely concerned with the the activity taking place on a network (or more specifically, the segment of a network on which it is operating).

* ''Knowledge-based'' - Includes a database of ''signatures'' known to be associated with malicious or unauthorized activity. A knowledge-based IDS compare compares activity data against the signature database and responds when a match is identified.

* ''Traffic Collector'' - The component is resposnible responsible for gathering activity and event data for analysis. On a host-based IDS this will typically include metrics such as inbound and outbound traffic and activity recorded by the operating system in log and audit files. A network-based IDS will pull data off a segment of a network for analysis.

* ''Analysis Engine'' - The analysis engine is responsible for analyzing the data gathered by the traffic collector. In case of a ''knowledge-based'' IDS the data will compared against a ''signature database''. A ''behavior-based'' IDS, on the other hand, will compare it against baseline behvior behavior information gathered over time to see if the current behavior deviates from the norm.

* ''Signature Database'' - Used in ''knowledge-based'' systems, the signature database contains a collection of signatures known to be associated with known suspicious and malicious activities. it It could be said that a knowledge based IDS is only as good as its database.

* ''Management and Reporting Interface'' - A management interface provide providing a mechanism by which system administrators may manage the systema nd system and receive alerts when intrusions are detected.

Host-based intrution detection system systems have a number of strengths and weaknesses.

* '''Non-Network Based Attacks''' - While many attacks are initiated via the network it is also common for attacks to be performed directly at the system by disgruntled or dishonest employees. The advantage of a host-based IDS over a network-based IDS is that is capable of identify identifying suspicious activity taking place at the physical machine (i.e . the keyboard and mouse attached to the computer).

A network based IDS will typically only pick up packets traveling in the network segment to which it is attached. In general NIDS are generally placed between an internal network and the firewall, ensuring that all inbound and outbound traffic is monitored. In addition, is if the network-based IDS software is installed on a computer it is vital that the computer be equipped with a network interface card (NIC) which supports promiscuous mode so that it is able to capture all network packets, not just those destined for its own IP address.

As with host-based intrusion detection systems, network-based system systems have inherent strengths and weaknesses.

* '''Cross-platform Protection''' - Because network-based intrusion detection systems focus solely on network traffic they are are complete completely operating system agnostic. The typical NIDS neither knows, nor cares what operating systems the computers on a network are running. All it cares about the is the network traffic passing between them.

* '''Big Picture View''' - The typical NIDS (assuming it has been carefully placed in a network) has a "big picture" view of what is happening on a network and as such can see patterns to seeidentify, for example, how widespread an attack is on a network.

* '''Unable to Monitor Encrypted Traffic''' - Unfortunately much traffic these days in is encrypted and, as such, is impervious to analysis by a network-based IDS.