Intrusion Detection System

From Glitchdata
Jump to navigation Jump to search
  • An IDS would be the next line of defence after the Firewall.
    • Placed within the network.
    • It would detect anomalies in the network/server activity and try to detect the perpetrator.
  • BEST metric for evaluating effectiveness of an intrusion detection system is the ratio of false positives to false negatives.
  • IDS can detect internal attacks as well.
    • An IDS can help pinpoint the source of an attack using properly placed agents in the internal network.
  • Not all information security incidents originate from the network; an intrusion detection system may provide no detection value for a variety of incident types.
  • The most important function of an intrusion detection system is to identify potential attacks on the network.
  • An intrusion detection system is not designed to identify patterns of suspicious logon attempts. (Use SIEM)

  • An Intrusion Detection System (IDS), shown in the figure, is either a dedicated network device, or one of several tools in a server or firewall that scans data against a database of rules or attack signatures, looking for malicious traffic. If a match is detected, the

IDS will log the detection, and create an alert for a network administrator. The Intrusion Detection System does not take action when a match is detected so it does not prevent attacks from happening. The job of the IDS is merely to detect, log and report.