An agent-based intrusion detection system (IDS) operates on the host system and has direct access to host resources, which can lead to heightened system performance impact. In contrast, a network-based IDS monitors network traffic for suspicious activity at the network level, rather than on individual host systems, which is generally less intrusive to system performance while still maintaining security monitoring capabilities. Port scanners and vulnerability scanners are tools used for identifying potential vulnerabilities and are not typically deployed continuously, thus not the best options for ongoing traffic monitoring and malware protection.