Network Intrusion Detection Systems (NIDS) are designed to differentiate malicious traffic, from normal traf- fic, on a network system to detect the presence of an attack. Traditionally, the approach around which these systems are designed is based upon an assumption made by Dorothy Denning in 1987, stating that malicious traffic should be statistically differentiable from normal traffic. However, this statement was made regarding host systems and was not meant to be extended without adjustment to network systems. It is therefore necessary to change the granularity of this approach to find statistical anomalies per host as well as on the network as a whole. This approach lends itself well to the use of emergent monitoring agents per host, that have a central aggregation point with a visualization of the network as a whole. This chapter will discuss the structure, training, and deployment of such an agent-based intrusion detection system and analyze its viability in comparison to the more traditional anomaly-based approach to intrusion detection.
Intrusion Detection Systems (IDSs) take many forms and approaches to detection and possibly prevention or recovery, ranging from open source applications such as Snort to extremely expensive dedicated appliances such as Cisco IDS. The fundamental characteristic that defines the two major types of intrusion detection systems is the granularity of the observation: namely, the two types are host-based systems and network-based systems. Both types share many characteristics along with the same fundamental goals but implement them in very different ways.