Learn about Intrusion Detection Systems

Desirable Features of IDS

"IDS must be able to adapt to changes and recognize "normal" behavior."

  Why is IDS Needed?
  Intrusion Overview
  What is IDS?
  Desirable Features
  Anomaly-Based
  Misuse-Based
  Host-Based
  Network-Based
  Current IDS Limitations
  IDS Implementations
  Room to Improve
  Using AI in IDS
Over the past decade, the field of IDS has been driven into overdrive by the explosive proliferation of personal and server-based computers. Today, the typical corporate network infrastructure is extremely complex, multi-layered and fast. The need to protect data and services across remote locations is a top priority, and many corporations are depending on IDS to play a major role in that protection.

The ultimate desire of IDS functionality is the identification of all intrusive behavior within an environment, and the reporting of that behavior in a timely manner. However, in order for IDS to be successful in today’s complex environments, there are some more characteristics that will be needed.

An effective IDS should be able to:

- run continually with minimal human supervision

- withstand an attack and continue functioning

- monitor itself and resist local intrusion

- use minimal resources

- adapt and recognize "normal" behavior

In addition, with all the previously discussed advancements in network architectures, it’s safe to say that the following characteristics are most definitely vital to the applicability of IDS in an enterprise environment as well:

- Scalability: The IDS system must be able to function in large (and fast) network architectures.

- Low rate of false positives alerts: A false positive is, essentially, a false alarm. 

- No false negative instances: A false negative is an instance when the network or system was under attack, but the IDS did not identify it as intrusive behavior, thus no alert was activated.

- Allow some anomalous events without flagging an emergency alert. This doesn't mean it should allow true malicious behavior, but it should be flexible/smart enough to allow for the occasional user mistake or communication blip.

The above desired characteristics are achieved in varying levels throughout the various IDS models. As we shall see in the later sections, some IDS models are better at achieving these goals than others.

IDStutorial.com, Copyright © 2007 - 2010 All Rights Reserved. Copying content from this website is strictly not allowed and will be pursued by legal channels when found. The information on this site is the opinions of the author, it is not guaranteed to be correct, and is to be used for information purposes only.