University of Babylon

Information Technology Collage

Intrusion Detection Systems subject
Third stage

INTRUSION DETECTION
SYSTEM TYPES HIDS, NIDS,
PIDS AND APIDS

Assistant Lecturer : Mohsen Basem Aljazaery

Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

1. Host Intrusion Detection System (HIDS)

Definition and Purpose

A Host Intrusion Detection System (HIDS) is a security mechanism installed directly on an

individual host (e.g., a computer, server, or endpoint). Unlike network-based IDS, which monitors
traffic across a network, HIDS focuses on the activities of a specific machine. The primary goal
of HIDS is to detect unauthorized access, malicious behavior, or policy violations at the host
level. It tracks file modifications, system calls, login attempts, and network connections.

Software and Hardware Resources

Software: HIDS is typically built on lightweight software installed on a host machine. The most
popular HIDS solutions include:

1. Open Source HIDS SECurity (OSSEC): An open-source, multi-platform host-based

intrusion detection system capable of detecting file integrity changes, rootkit detection, and
system logs analysis.
2. Advanced Intrusion Detection Environment (AIDE): an open-source tool that monitors file
integrity and checks system files for unauthorized modifications.
3. Tripwire: One of the most well-known commercial solutions for host integrity monitoring.

Hardware: HIDS requires minimal hardware resources because it runs on individual machines.
The system resources depend on the host configuration, such as:

1. CPU: HIDS software typically uses small processing power.

2. Memory: HIDS solutions often consume modest memory resources, especially when
monitoring a limited set of processes.
3. Storage: Storage requirements increase with the size of logs and data for auditing.

2
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

Attack Detection
HIDS is primarily used when securing individual endpoints or critical machines is essential. It
is especially effective in detecting insider threats, privilege escalation attempts, and file
integrity breaches. HIDS can also help monitor administrative access and ensure compliance
with security policies. Standard attack detection methods include:

1. File Integrity Checking: Monitoring file system changes, identifying any unauthorized or
malicious alterations to system files.
2. Log Analysis: This involves analyzing system logs for suspicious activity, such as failed
login attempts, privilege escalation, and unauthorized access.
3. Rootkit Detection: Identifying hidden processes or files designed to evade detection by
traditional anti-virus software.

Famous Real-World Attacks and Damage Costs

Real-world attacks such as the Stuxnet worm demonstrate the importance of HIDS. Stuxnet
exploited vulnerabilities in industrial control systems, and its discovery emphasized the necessity
of detecting malware at the host level. The attack caused significant damage to Iran’s nuclear
program, with costs reaching $10 million for damage control and remediation.
Another example is the Equifax Data Breach of 2017, in which attackers gained unauthorized
access to sensitive data through unpatched vulnerabilities. HIDS could have helped detect the
breach earlier, saving $1.4 billion in breach-related costs.

Developer Salary
The demand for HIDS developers is growing in parallel with cybersecurity threats. Salaries for
HIDS developers vary based on geographical location, experience, and skillset:

1. In the U.S., the average salary for a HIDS developer is around $95,000–$120,000
annually.
2. In Europe, the average salary falls between €60,000–€80,000.

3
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

3. In regions like India, salaries range from ₹6,00,000–₹10,00,000.

2. Network-Based Intrusion Detection System (NIDS)

Definition and Purpose

A Network-Based Intrusion Detection System (NIDS) monitors network traffic to detect
suspicious or unauthorized activities, typically in real-time. Unlike HIDS, which is focused on a
single host, NIDS provides network-wide surveillance, detecting external threats or attacks that
traverse network boundaries.

Software and Hardware Resources

Software: NIDS software must be able to capture and analyze large volumes of network traffic.
Popular NIDS software includes:

1. Snort is one of the most widely used open-source NIDS that analyzes network packets in
real-time and detects various attacks.
2. Suricata: Another open-source NIDS with high-performance capabilities, providing deep
packet inspection, traffic analysis, and application-layer protocol analysis.
3. Bro (Zeek) is a powerful network monitoring tool designed for security monitoring and
network traffic analysis.

Hardware: NIDS relies heavily on network hardware such as:

1. Dedicated Sensors: These devices are installed in network segments to capture and
monitor traffic. They may include specialized hardware for packet inspection and data
processing. Sample Cisco Firepower Threat Sensor and Suricata IDS/IPS sensor.
2. High-Throughput Network Interfaces: NIDS must handle large volumes of data, requiring
high-speed network interfaces and ample bandwidth to avoid packet loss. Intel Ethernet
Network Adapter X710 this adapter supports up to 40 Gbps throughput, Solarflare X2522
ultra-low latency and high-throughput environments, supporting 100 Gbps speeds,

4
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

Mellanox ConnectX-6, and A high-performance network interface card (NIC) that

supports speeds of up to 200 Gbps.
3. Storage: NIDS systems may require significant storage for capturing and storing packet
data and logs.

Attack Detection
NIDS is ideal for environments where monitoring network traffic and identifying external threats
is critical. It is commonly deployed in enterprise networks, cloud environments, and data centers.
NIDS typically detects attacks such as:

1. DDoS (Distributed Denial of Service): NIDS can identify large volumes of traffic
generated by botnets.
2. Port Scanning: NIDS can detect when a host is probing various ports to find open
vulnerabilities.
3. Exploits: Detection of traffic patterns indicative of attempts to exploit vulnerabilities such
as buffer overflows.

Famous Real-world Attacks and Damage Costs

The 2016 Dyn DDoS attack is a prominent example of an attack that could have been mitigated
with effective NIDS. The attack, which used the Mirai botnet, disrupted major websites like
Twitter, Netflix, and Spotify. The financial damages from downtime and service disruptions
reached $110 million. Similarly, the Heartbleed vulnerability in the OpenSSL library affected
millions of servers. While a NIDS could have detected unusual network traffic associated with
the exploit, the breach ultimately cost the industry an estimated $500 million in damage control
and patching efforts.

5
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

Developer Salary
The growing sophistication of NIDS solutions has led to a high demand for developers skilled
in network monitoring and packet analysis. Network security developers typically earn:

1. In the U.S., the average salary ranges from $100,000–$130,000 annually.

2. In Europe, it ranges between €65,000–€95,000.
3. In India, the salary is typically between ₹8,00,000–₹15,00,000.

3. Protocol-Based Intrusion Detection System (PIDS)

Definition and Purpose

Protocol-based intrusion Detection Systems (PIDS) analyze communication protocols used in a
network. They ensure the protocols are used correctly and according to predefined standards.
PIDS also checks for deviations from expected protocol behavior, which could indicate an
attack. Wireshark is a network protocol analyzer that can help identify protocol anomalies and
security issues. OpenDPI: A protocol detection tool that analyzes network traffic using Deep
Packet Inspection (DPI).

Software and Hardware Resources

Software: PIDS is generally implemented in software that can decode and understand the
protocols in use, such as:

1. Security Onion – A comprehensive security monitoring system that includes Zeek,

Suricata, and Snort.
2. Argus – A real-time network flow monitoring tool for protocol anomaly detection.

6
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

Hardware: PIDS typically does not require specialized hardware beyond what is needed for
general network monitoring these are dedicated hardware appliances optimized for protocol
analysis:

1. Cisco Firepower Series – A next-gen IDS/IPS with deep protocol inspection and
advanced threat detection.
2. Palo Alto Networks PA-Series – Analyzes protocols such as HTTP, SSL, DNS, and SSH
for security threats.
3. Fortinet FortiGate with IPS Module – Detects protocol-based attacks, including SQL
injections and DNS tunneling.

Attack Detection
PIDS is particularly effective in detecting:

1. Protocol Anomalies: Any deviations from expected behavior in protocols such as HTTP,
FTP, and DNS can indicate an attack.
2. Man-in-the-Middle (MITM) Attacks: PIDS can detect unauthorized manipulation of
protocol data during transmission.
3. Protocol Spoofing: Attempts to impersonate a legitimate communication protocol can be
caught by PIDS.

Famous Real-World Attacks and Damage Costs

A notable attack that could be mitigated by PIDS is the DNS Spoofing Attack. In this attack,
malicious actors alter DNS responses to redirect users to fraudulent websites. The damage caused
by such attacks is often hard to quantify but can lead to severe financial losses, reputation damage,
and data breaches.

7
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

Developer Salary
The salaries for developers working on PIDS solutions are similar to those of NIDS developers:

1. In the U.S., salaries range from $95,000–$125,000 annually.

2. In Europe, salaries fall between €60,000–€85,000.
3. In India, developers can expect to earn between ₹7,00,000–₹12,00,000 annually.

4. Application Protocol-Based Intrusion Detection System (APIDS)

Definition and Purpose

Application Protocol-Based Intrusion Detection Systems (APIDS) analyze application-layer
protocols such as HTTP, SMTP, and FTP. They are designed to detect attacks that target
vulnerabilities in these protocols or exploits that misuse them.

Software and Hardware Resources

Software: APIDS is implemented in specialized software capable of analyzing application
traffic, including:

1. Mod Security: An open-source WAF (Web Application Firewall) that can detect and
prevent attacks targeting web applications.
2. W3AF: A framework for finding and exploiting web application vulnerabilities.
3. Arachni: Another open-source security scanner focused on web applications.

Hardware: Like other IDS types, APIDS relies on standard network hardware but may require
additional resources to process high volumes of application-layer traffic.

1. Web and Application Security Appliances

 F5 Advanced WAF Protects web applications by inspecting HTTP/S traffic.

 Fortinet FortiWeb Web application firewall with built-in APIDS features.
 Radware AppWall Detects and prevents application-layer attacks.

8
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

2. Database Security Appliances

 Imperva SecureSphere Hardware appliance for real-time database traffic monitoring.

 McAfee Database Security Offers deep visibility into database queries and transactions.

3. DNS Security Appliances

 Cisco Umbrella Protects against DNS-based threats like phishing and tunneling.
 BlueCat DNS Security Monitors DNS traffic to prevent malicious activity.

Attack Detection
APIDS is primarily used for:

1. SQL Injection: Detecting malicious input designed to exploit SQL vulnerabilities in

applications.
2. Cross-Site Scripting (XSS): Detecting scripts injected into websites to execute malicious
actions on user browsers.
3. Buffer Overflow Attacks: Identifying attempts to overflow application buffers to execute
arbitrary code.

Famous Real-World Attacks and Damage Costs

The 2009 SQL Injection Attack on Heartland Payment Systems is one of the most notable attacks
that could have been detected by an APIDS. The breach exposed over 130 million credit card
numbers and cost the company $140 million in damages.

9
Intrusion Detection System Types HIDS, NIDS, PIDS and APIDS

Developer Salary
APIDS development requires strong expertise in web application security. Developers working
in this area earn:

1. In the U.S., the salary ranges from $100,000–$135,000 annually.

2. In Europe, the range is €65,000–€90,000.
3. In India, developers earn between ₹8,00,000–₹14,00,000.

10