• HIDS can check end-to-end encrypted communications behaviour.|
• No extra hardware required.
• Detects intrusions by checking hosts file system, system calls or network events.
• Every packet is reassembled
• Looks at the entire item, not streams only
• Delays in reporting attacks|
• Consumes host resources
• Needs to be installed on each host.
• It can monitor attacks only on the machine where it is installed.
|• Audits records, log files, Application Program Interface (API), rule patterns, system calls.|
•Detects attacks by checking network packets.|
•Not required to install on each host.
•Can check various hosts at the same period.
•Capable of detecting the broadest ranges of network protocols
•Challenge is to identify attacks from encrypted traffic.|
•Dedicated hardware is required.
•It supports only identification of network attacks.
•Difficult to analysis high-speed network.
•The most serious threat is the insider attack.
•Simple Network Management Protocol (SNMP)|
•Network packets (TCP/UDP/ICMP),
•Management Information Base (MIB)
•Router NetFlow records