In general, there are both network-based and host-based IDSs. A network-based IDS could conceivably be considered a network-based malware detection system, but it would have a wider scope.
When we say malware detection, we generally need an agent on host machine. The agent needs to analyze the processes running on host, memory maps, systemcalls, etc. E.g- malware bytes. malware detection is difficult just based on network traffic alone. You can also call it host based Intrusion detection.
A network based Intrusion detection system on the other hand analyses traffic inbound and outbound on network interfaces, and can be running ouside the VM for which you want to conduct Intrusion Detection e.g. NIDS like listening to network traffic on interface of more than one VM.
Both network and host based intrusion detection systems have their short comings, e.g- if the host is compromised, attacker can disable host based malware/ intrusion detection agent. On the other hand Network based intrusion detection system is not able to provide fine grained analysis of malicious activities on each host since it listens only inbound-outbound traffic on each VM.
Both NIDS and Host based IDS (HIDS) can further be classified into singature based detection agents (having well defined signatures for type of attacks like - DDoS, NTP amlification attack etc) and anomaly based detection agent (detection of intrusion based on traffic pattern or machine learning algorithms).
Both signature and anomaly based detection have their shortcomings as well. Signature based detection cannot identify all possible variants of attacks whereas anomaly based detection mechanism generally have high false positive rate.
it depends on from which aspect you look at it...but technology moving too fast, today you say it is separate, tomorrow it become 2 in 1...
Categorically speaking, the two are different. I must mention though that network based malware detection is not as common a technology/concept as Intrusion detection systems. I think this is partly due to the fact that network based malware detection assumes that the adversary is malware, but this is far from the truth in practicality. Robust and resilient threat models consider both human and software (malware) as threat actors. Consider the case of APTs, an explicit network based malware detection system can never be sufficient. What is common though is host-based malware detection which is usually differentiated from network based intrusion detection. Intrusion detection, though a generic term, is usually used to refer to network based intrusion detection in computer security.
- Badges
- Science topic
- Similar topics
- Computer Science and Engineering
- Artificial Intelligence