Intrusion Detection System
- An IDS would be the next line of defence after the Firewall.
- Placed within the network.
- It would detect anomalies in the network/server activity and try to detect the perpetrator.
- BEST metric for evaluating effectiveness of an intrusion detection system is the ratio of false positives to false negatives.
- IDS can detect internal attacks as well.
- An IDS can help pinpoint the source of an attack using properly placed agents in the internal network.
- Not all information security incidents originate from the network; an intrusion detection system may provide no detection value for a variety of incident types.
- The most important function of an intrusion detection system is to identify potential attacks on the network.
- An intrusion detection system is not designed to identify patterns of suspicious logon attempts. (Use SIEM)
- An Intrusion Detection System (IDS), shown in the figure, is either a dedicated network device, or one of several tools in a server or firewall that scans data against a database of rules or attack signatures, looking for malicious traffic. If a match is detected, the
IDS will log the detection, and create an alert for a network administrator. The Intrusion Detection System does not take action when a match is detected so it does not prevent attacks from happening. The job of the IDS is merely to detect, log and report.