nvh_ids_2
October 2, 1998
Page 2
Introduction
Most traditional intrusion detection systems (IDS) take either a network- or a host-based
approach to recognizing and deflecting attacks. In either case, these products look for attack
signatures, specific patterns that usually indicate malicious or suspicious intent. When an IDS
looks for these patterns in network traffic, its network-based. When an IDS looks for attack
signatures in log files, its host-based. Each approach has its strengths and weaknesses, each is
complementary to the other. A truly effective intrusion detection system will employ both
technologies. This paper discusses the differences in host- and network-based intrusion detection
techniques to demonstrate how the two can work together to provide additionally effective
intrusion detection and protection.