Intrusion Detection System

• An IDS would be the next line of defence after the Firewall.
  • Placed within the network.
  • It would detect anomalies in the network/server activity and try to detect the perpetrator.
• BEST metric for evaluating effectiveness of an intrusion detection system is the ratio of false positives to false negatives.
• IDS can detect internal attacks as well.
  • An IDS can help pinpoint the source of an attack using properly placed agents in the internal network.
• Not all information security incidents originate from the network; an intrusion detection system may provide no detection value for a variety of incident types.
• The most important function of an intrusion detection system is to identify potential attacks on the network.
• An intrusion detection system is not designed to identify patterns of suspicious logon attempts. (Use SIEM)

• An Intrusion Detection System (IDS), shown in the figure, is either a dedicated network device, or one of several tools in a server or firewall that scans data against a database of rules or attack signatures, looking for malicious traffic. If a match is detected, the

IDS will log the detection, and create an alert for a network administrator. The Intrusion Detection System does not take action when a match is detected so it does not prevent attacks from happening. The job of the IDS is merely to detect, log and report.

• IDS Features
• IDS Architecture
• IDS Usage
  • IDS Tuning
• IDS Technology

Links

• https://en.wikipedia.org/wiki/Intrusion_detection_system

Related

• Intrusion Detection System
• Intrusion Prevention System