Application Protocol-based Intrusion Detection System
Encyclopedia
An application protocol-based intrusion detection system (APIDS) is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system.
of the protocol and will typically consist of a system or agent that would typically sit between a process
, or group of server
s, monitoring
and analyzing the application protocol between two connected devices.
A typical place for an APIDS would be between a web server
and the database management system
, monitoring the SQL
protocol specific to the middleware
/business logic
as it interacts with the database
.
However at a more advanced level the APIDS can learn, be taught or even reduce what is often an infinite protocol set, to an acceptable understanding of the subset
of that application protocol that is used by the application being monitored/protected.
Thus, an APIDS, correctly configured, will allow an application to be "fingerprint
ed", thus should that application be subverted or changed, so will the fingerprint change.
Overview
An APIDS will monitor the dynamic behavior and stateState (computer science)
In computer science and automata theory, a state is a unique configuration of information in a program or machine. It is a concept that occasionally extends into some forms of systems programming such as lexers and parsers....
of the protocol and will typically consist of a system or agent that would typically sit between a process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
, or group of server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
s, monitoring
Monitoring
To monitor or monitoring generally means to be aware of the state of a system. Below are specific examples:* to observe a situation for any changes which may occur over time, using a monitor or measuring device of some sort:...
and analyzing the application protocol between two connected devices.
A typical place for an APIDS would be between a web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
and the database management system
Database management system
A database management system is a software package with computer programs that control the creation, maintenance, and use of a database. It allows organizations to conveniently develop databases for various applications by database administrators and other specialists. A database is an integrated...
, monitoring the SQL
SQL
SQL is a programming language designed for managing data in relational database management systems ....
protocol specific to the middleware
Middleware
Middleware is computer software that connects software components or people and their applications. The software consists of a set of services that allows multiple processes running on one or more machines to interact...
/business logic
Business logic
Business logic, or domain logic, is a non-technical term generally used to describe the functional algorithms that handle information exchange between a database and a user interface.- Scope of business logic :Business logic:...
as it interacts with the database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
.
Monitoring dynamic behavior
At a basic level an APIDS would look for, and enforce, the correct (legal) use of the protocol.However at a more advanced level the APIDS can learn, be taught or even reduce what is often an infinite protocol set, to an acceptable understanding of the subset
Subset
In mathematics, especially in set theory, a set A is a subset of a set B if A is "contained" inside B. A and B may coincide. The relationship of one set being a subset of another is called inclusion or sometimes containment...
of that application protocol that is used by the application being monitored/protected.
Thus, an APIDS, correctly configured, will allow an application to be "fingerprint
Fingerprint
A fingerprint in its narrow sense is an impression left by the friction ridges of a human finger. In a wider use of the term, fingerprints are the traces of an impression from the friction ridges of any part of a human hand. A print from the foot can also leave an impression of friction ridges...
ed", thus should that application be subverted or changed, so will the fingerprint change.
See also
- Intrusion detection system (IDS)
- http://www.secerno.com/ Secerno is an example of SQL APIDS