Intrusion detection system

An intrusion detection system (IDS)[1] is a device or software application that monitors a network or systems
for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an
administrator or collected centrally using a security information and event management (SIEM) system. A
SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish
malicious activity from false alarms.[2]

IDS types range in scope from single computers to large networks.[3] The most common classifications are
network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A
system that monitors important operating system files is an example of an HIDS, while a system that analyzes
incoming network traffic is an example of an NIDS. It is also possible to classify IDS by detection approach.
The most well-known variants are signature-based detection (recognizing bad patterns, such as malware) and
anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine
learning). Another common variant is reputation-based detection (recognizing the potential threat according to
the reputation scores). Some IDS products have the ability to respond to detected intrusions. Systems with
response capabilities are typically referred to as an intrusion prevention system.[4] Intrusion detection
systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to
attract and characterize malicious traffic.[5]

Contents
Comparison with firewalls
Intrusion detection category
Analyzed activity
Network intrusion detection systems
Host intrusion detection systems
Detection method
Signature-based
Anomaly-based
Intrusion prevention
Classification
Detection methods
IDS Placement
Limitations
Evasion techniques
Development
Free and open source systems
See also
References
Further reading
External links
Comparison with firewalls
Although they both relate to network security, an IDS differs from a firewall in that a traditional network
firewall (distinct from a Next-Generation Firewall ) uses a static set of rules to permit or deny network
connections. It implicitly prevents intrusions, assuming an appropriate set of rules have been defined.
Essentially, firewalls limit access between networks to prevent intrusion and do not signal an attack from inside
the network. An IDS describes a suspected intrusion once it has taken place and signals an alarm. An IDS also
watches for attacks that originate from within a system. This is traditionally achieved by examining network
communications, identifying heuristics and patterns (often known as signatures) of common computer attacks,
and taking action to alert operators. A system that terminates connections is called an intrusion prevention
system, and performs access control like an application layer firewall.[6]

Intrusion detection category

IDS can be classified by where detection takes place (network or host) or the detection method that is
employed (signature or anomaly-based).[7]

Analyzed activity

Network intrusion detection systems

Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to
monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire
subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is
identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS
would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into
the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a
bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools
for simulating network intrusion detection systems. NID Systems are also capable of comparing signatures for
similar packets to link and drop harmful detected packets which have a signature matching the records in the
NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two
types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals
with the network in real time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack
or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or
not.

NIDS can be also combined with other technologies to increase detection and prediction rates. Artificial
Neural Network based IDS are capable of analyzing huge volumes of data, in a smart way, due to the self-
organizing structure that allows INS IDS to more efficiently recognize intrusion patterns.[8] Neural networks
assist IDS in predicting attacks by learning from mistakes; INN IDS help develop an early warning system,
based on two layers. The first layer accepts single values, while the second layer takes the first's layers output
as input; the cycle repeats and allows the system to automatically recognize new unforeseen patterns in the
network.[9] This system can average 99.9% detection and classification rate, based on research results of 24
network attacks, divided in four categories: DOS, Probe, Remote-to-Local, and user-to-root.[10]

Host intrusion detection systems

Host intrusion detection systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors
the inbound and outbound packets from the device only and will alert the user or administrator if suspicious
activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the
critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of
HIDS usage can be seen on mission critical machines, which are not expected to change their
configurations.[11][12]

Detection method

Signature-based

Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences
in network traffic, or known malicious instruction sequences used by malware.[13] This terminology originates
from anti-virus software, which refers to these detected patterns as signatures. Although signature-based IDS
can easily detect known attacks, it is difficult to detect new attacks, for which no pattern is available.[14]

In Signature-based IDS, the signatures are released by a vendor for its all products. On-time updating of the
IDS with the signature is a key aspect.

Anomaly-based

Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due
to the rapid development of malware. The basic approach is to use machine learning to create a model of
trustworthy activity, and then compare new behavior against this model. Since these models can be trained
according to the applications and hardware configurations, machine learning based method has a better
generalized property in comparison to traditional signature-based IDS. Although this approach enables the
detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate
activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during
detection process that degrades the performance of IDSs. Efficient feature selection algorithm makes the
classification process used in detection more reliable.[15]

New types of what could be called anomaly-based intrusion detection systems are being viewed by Gartner as
User and Entity Behavior Analytics (UEBA)[16] (an evolution of the user behavior analytics category) and
network traffic analysis (NTA).[17] In particular, NTA deals with malicious insiders as well as targeted external
attacks that have compromised a user machine or account. Gartner has noted that some organizations have
opted for NTA over more traditional IDS.[18]

Intrusion prevention
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring
system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible
incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for
other purposes, such as identifying problems with security policies, documenting existing threats and deterring
individuals from violating security policies. IDPS have become a necessary addition to the security
infrastructure of nearly every organization.[19]

IDPS typically record information related to observed events, notify security administrators of important
observed events and produce reports. Many IDPS can also respond to a detected threat by attempting to
prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack
itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.[19]
Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS),
are network security appliances that monitor network or system activities for malicious activity. The main
functions of intrusion prevention systems are to identify malicious activity, log information about this activity,
report it and attempt to block or stop it.[20].

Intrusion prevention systems are considered extensions of intrusion detection systems because they both
monitor network traffic and/or system activities for malicious activity. The main differences are, unlike
intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or
block intrusions that are detected.[21]:273[22]:289 IPS can take such actions as sending an alarm, dropping
detected malicious packets, resetting a connection or blocking traffic from the offending IP address.[23] An IPS
also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing
issues, and clean up unwanted transport and network layer options.[21]:278[24].

Classification

Intrusion prevention systems can be classified into four different types:[20][25]

1. Network-based intrusion prevention system (NIPS): monitors the entire network for
suspicious traffic by analyzing protocol activity.
2. Wireless intrusion prevention system (WIPS): monitor a wireless network for suspicious
traffic by analyzing wireless networking protocols.
3. Network behavior analysis (NBA): examines network traffic to identify threats that generate
unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of
malware and policy violations.
4. Host-based intrusion prevention system (HIPS): an installed software package which
monitors a single host for suspicious activity by analyzing events occurring within that host.

Detection methods

The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical
anomaly-based, and stateful protocol analysis.[22]:301[26]

1. Signature-based detection: Signature-based IDS monitors packets in the Network and

compares with pre-configured and pre-determined attack patterns known as signatures.
2. Statistical anomaly-based detection: An IDS which is anomaly-based will monitor network
traffic and compare it against an established baseline. The baseline will identify what is
"normal" for that network – what sort of bandwidth is generally used and what protocols are
used. It may however, raise a False Positive alarm for legitimate use of bandwidth if the
baselines are not intelligently configured.[27]
3. Stateful protocol analysis detection: This method identifies deviations of protocol states by
comparing observed events with "pre-determined profiles of generally accepted definitions of
benign activity".[22]

IDS Placement
The placement of Intrusion Detection Systems is critical and varies depending on the network. The most
common placement being behind the firewall on the edge of a network. This practice provides the IDS with
high visibility of traffic entering your network and will not receive any traffic between users on the network.
The edge of the network is the point in which a network connects to the extranet. Another practice that can be
accomplished if more resources are available is a strategy where a technician will place their first IDS at the
point of highest visibility and depending on resource availability will place another at the next highest point,
continuing that process until all points of the network are covered.[28]

If an IDS is placed beyond a network's firewall, its main purpose would be to defend against noise from the
internet but, more importantly, defend against common attacks, such as port scans and network mapper. An
IDS in this position would monitor layers 4 through 7 of the OSI model and would be signature-based. This is
a very useful practice, because rather than showing actual breaches into the network that made it through the
firewall, attempted breaches will be shown which reduces the amount of false positives. The IDS in this
position also assists in decreasing the amount of time it takes to discover successful attacks against a
network.[29]

Sometimes an IDS with more advanced features will be integrated with a firewall in order to be able to
intercept sophisticated attacks entering the network. Examples of advanced features would include multiple
security contexts in the routing level and bridging mode. All of this in turn potentially reduces cost and
operational complexity.[29]

Another option for IDS placement is within the actual network. These will reveal attacks or suspicious activity
within the network. Ignoring the security within a network can cause many problems, it will either allow users
to bring about security risks or allow an attacker who has already broken into the network to roam around
freely. Intense intranet security makes it difficult for even those hackers within the network to maneuver
around and escalate their privileges.[29]

Limitations
Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated
from software bugs, corrupt DNS data, and local packets that escaped can create a significantly
high false-alarm rate.[30]
It is not uncommon for the number of real attacks to be far below the number of false-alarms.
Number of real attacks is often so far below the number of false-alarms that the real attacks are
often missed and ignored.[30]
Many attacks are geared for specific versions of software that are usually outdated. A
constantly changing library of signatures is needed to mitigate threats. Outdated signature
databases can leave the IDS vulnerable to newer strategies.[30]
For signature-based IDS, there will be lag between a new threat discovery and its signature
being applied to the IDS. During this lag time, the IDS will be unable to identify the threat.[27]
It cannot compensate for weak identification and authentication mechanisms or for weaknesses
in network protocols. When an attacker gains access due to weak authentication mechanisms
then IDS cannot prevent the adversary from any malpractice.
Encrypted packets are not processed by most intrusion detection devices. Therefore, the
encrypted packet can allow an intrusion to the network that is undiscovered until more
significant network intrusions have occurred.
Intrusion detection software provides information based on the network address that is
associated with the IP packet that is sent into the network. This is beneficial if the network
address contained in the IP packet is accurate. However, the address that is contained in the IP
packet could be faked or scrambled.
Due to the nature of NIDS systems, and the need for them to analyse protocols as they are
captured, NIDS systems can be susceptible to the same protocol-based attacks to which
network hosts may be vulnerable. Invalid data and TCP/IP stack attacks may cause a NIDS to
crash.[31]
 The security measures on cloud computing do not consider the variation of user’s privacy
needs.[32] They provide the same security mechanism for all users no matter if users are
companies or an individual person.[32]

Evasion techniques
There are a number of techniques which attackers are using, the following are considered 'simple' measures
which can be taken to evade IDS:

Fragmentation: by sending fragmented packets, the attacker will be under the radar and can
easily bypass the detection system's ability to detect the attack signature.
Avoiding defaults: The TCP port utilised by a protocol does not always provide an indication to
the protocol which is being transported. For example, an IDS may expect to detect a trojan on
port 12345. If an attacker had reconfigured it to use a different port, the IDS may not be able to
detect the presence of the trojan.
Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or
agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS
to correlate the captured packets and deduce that a network scan is in progress.
Address spoofing/proxying: attackers can increase the difficulty of the Security Administrators
ability to determine the source of the attack by using poorly secured or incorrectly configured
proxy servers to bounce an attack. If the source is spoofed and bounced by a server, it makes it
very difficult for IDS to detect the origin of the attack.
Pattern change evasion: IDS generally rely on 'pattern matching' to detect an attack. By
changing the data used in the attack slightly, it may be possible to evade detection. For
example, an Internet Message Access Protocol (IMAP) server may be vulnerable to a buffer
overflow, and an IDS is able to detect the attack signature of 10 common attack tools. By
modifying the payload sent by the tool, so that it does not resemble the data that the IDS
expects, it may be possible to evade detection.

Development
The earliest preliminary IDS concept was delineated in 1980 by James Anderson at the National Security
Agency and consisted of a set of tools intended to help administrators review audit trails.[33] User access logs,
file access logs, and system event logs are examples of audit trails.

Fred Cohen noted in 1987 that it is impossible to detect an intrusion in every case, and that the resources
needed to detect intrusions grow with the amount of usage.[34]

Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the
basis for many systems today.[35] Her model used statistics for anomaly detection, and resulted in an early IDS
at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and
could consider both user and network level data.[36] IDES had a dual approach with a rule-based Expert
System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of
users, host systems, and target systems. The author of "IDES: An Intelligent System for Detecting Intruders,"
Teresa F. Lunt, proposed adding an Artificial neural network as a third component. She said all three
components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion
Detection Expert System (NIDES).[37]

The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was
developed in 1988 based on the work of Denning and Neumann.[38] Haystack was also developed in that year
using statistics to reduce audit trails.[39]
In 1986 the National Security Agency started an IDS research transfer program under Rebecca Bace. Bace
later published the seminal text on the subject, Intrusion Detection, in 2000.[40]

Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos
National Laboratory.[41] W&S created rules based on statistical analysis, and then used those rules for
anomaly detection.

In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of
sequential user patterns in Common Lisp on a VAX 3500 computer.[42] The Network Security Monitor
(NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.[43] The
Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies
including statistics, a profile checker, and an expert system.[44] ComputerWatch at AT&T Bell Labs used
statistics and rules for audit data reduction and intrusion detection.[45]

Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion
Detection System (DIDS), which was also an expert system.[46] The Network Anomaly Detection and
Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National
Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and
Lunt.[47] NADIR used a statistics-based anomaly detector and an expert system.

The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for
packet analysis from libpcap data.[48] Network Flight Recorder (NFR) in 1999 also used libpcap.[49]

APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one
month later. Snort has since become the world's largest used IDS/IPS system with over 300,000 active
users.[50] It can monitor both local systems, and remote capture points using the TZSP protocol.

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for
classifications.[51] In 2003, Yongguang Zhang and Wenke Lee argue for the importance of IDS in networks
with mobile nodes.[52]

In 2015, Viegas and his colleagues [53] proposed an anomaly-based intrusion detection engine, aiming System-
on-Chip (SoC) for applications in Internet of Things (IoT), for instance. The proposal applies machine learning
for anomaly detection, providing energy-efficiency to a Decision Tree, Naive-Bayes, and k-Nearest Neighbors
classifiers implementation in an Atom CPU and its hardware-friendly implementation in a FPGA.[54][55] In the
literature, this was the first work that implement each classifier equivalently in software and hardware and
measures its energy consumption on both. Additionally, it was the first time that was measured the energy
consumption for extracting each features used to make the network packet classification, implemented in
software and hardware.[56]

Free and open source systems

ACARM-ng
AIDE
AIEngine (software)
Fail2ban
OSSEC HIDS
Prelude Hybrid IDS
Sagan
Samhain
Snort, GPLv2+ developed by Cisco.
 Suricata
Zeek

See also
Application protocol-based intrusion detection system (APIDS)
Artificial immune system
Bypass switch
Denial-of-service attack
DNS analytics
Intrusion Detection Message Exchange Format
Protocol-based intrusion detection system (PIDS)
Real-time adaptive security
Security management
ShieldsUp
Software-defined protection

References
1. "What is an Intrusion Detection System (IDS)? | Check Point Software" (https://www.checkpoin
t.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids/#).
2. Martellini, Maurizio; Malizia, Andrea (2017-10-30). Cyber and Chemical, Biological,
Radiological, Nuclear, Explosives Challenges: Threats and Counter Efforts (https://books.googl
e.com/books?id=klE8DwAAQBAJ&q=siem+alarm+filtering&pg=PA31). Springer.
ISBN 9783319621081.
3. Axelsson, S (2000). "Intrusion Detection Systems: A Survey and Taxonomy" (http://neuro.bstu.b
y/ai/To-dom/My_research/Paper-0-again/For-research/D-mining/Anomaly-D/Intrusion-detection/
taxonomy.pdf) (retrieved 21 May 2018)
4. Newman, Robert (2009-06-23). Computer Security: Protecting Digital Resources (https://books.
google.com/books?id=_R5ndK-i3vkC&q=%22intrusion+prevention+system%22+AND+%28rea
ction+OR+reactive%29&pg=PA266). Jones & Bartlett Learning. ISBN 9780763759940.
5. Mohammed, Mohssen; Rehman, Habib-ur (2015-12-02). Honeypots and Routers: Collecting
Internet Attacks (https://books.google.com/books?id=lPQYCwAAQBAJ&q=IDS+honeypot&pg=
PA122). CRC Press. ISBN 9781498702201.
6. Vacca, John R. (2013-08-26). Network and System Security (https://books.google.com/books?i
d=ebbwmOFWvR8C&q=%22intrusion+prevention+system%22+AND+%22application+layer+fi
rewall%22&pg=PA46). Elsevier. ISBN 9780124166950.
7. Vacca, John R. (2009-05-04). Computer and Information Security Handbook (https://books.goo
gle.com/books?id=TnE85sckwMAC&q=IDS+network+host+signature&pg=PA64). Morgan
Kaufmann. ISBN 9780080921945.
8. Garzia, Fabio; Lombardi, Mara; Ramalingam, Soodamani (2017). An integrated internet of
everything — Genetic algorithms controller — Artificial neural networks framework for
security/safety systems management and support. 2017 International Carnahan Conference on
Security Technology (ICCST). IEEE. doi:10.1109/ccst.2017.8167863 (https://doi.org/10.1109%
2Fccst.2017.8167863). ISBN 9781538615850. S2CID 19805812 (https://api.semanticscholar.o
rg/CorpusID:19805812).
 9. Vilela, Douglas W. F. L.; Lotufo, Anna Diva P.; Santos, Carlos R. (2018). Fuzzy ARTMAP
Neural Network IDS Evaluation applied for real IEEE 802.11w data base. 2018 International
Joint Conference on Neural Networks (IJCNN). IEEE. doi:10.1109/ijcnn.2018.8489217 (https://
doi.org/10.1109%2Fijcnn.2018.8489217). ISBN 9781509060146. S2CID 52987664 (https://api.
semanticscholar.org/CorpusID:52987664).
10. Dias, L. P.; Cerqueira, J. J. F.; Assis, K. D. R.; Almeida, R. C. (2017). Using artificial neural
network in intrusion detection systems to computer networks. 2017 9th Computer Science and
Electronic Engineering (CEEC). IEEE. doi:10.1109/ceec.2017.8101615 (https://doi.org/10.110
9%2Fceec.2017.8101615). ISBN 9781538630075. S2CID 24107983 (https://api.semanticschol
ar.org/CorpusID:24107983).
11. Inc, IDG Network World (2003-09-15). Network World (https://books.google.com/books?id=6Bg
EAAAAMBAJ&q=host+IDS+%22mission+critical%22&pg=PT30). IDG Network World Inc.
12. Groom, Frank M.; Groom, Kevin; Jones, Stephan S. (2016-08-19). Network and Data Security
for Non-Engineers (https://books.google.com/books?id=3iiLDQAAQBAJ&q=hids+%22mission+
critical%22&pg=PT118). CRC Press. ISBN 9781315350219.
13. Brandon Lokesak (December 4, 2008). "A Comparison Between Signature Based and
Anomaly Based Intrusion Detection Systems" (http://www.iup.edu/WorkArea/DownloadAsset.a
spx?id=81109) (PPT). www.iup.edu.
14. Douligeris, Christos; Serpanos, Dimitrios N. (2007-02-09). Network Security: Current Status
and Future Directions (https://books.google.com/books?id=dHys9OXMFMIC&q=signature+IDS
+disadvantage&pg=PA86). John Wiley & Sons. ISBN 9780470099735.
15. Rowayda, A. Sadek; M Sami, Soliman; Hagar, S Elsayed (November 2013). "Effective anomaly
intrusion detection system based on neural network with indicator variable and rough set
reduction". International Journal of Computer Science Issues (IJCSI). 10 (6).
16. "Gartner report: Market Guide for User and Entity Behavior Analytics" (https://www.gartner.com/
doc/3134524?ref=SiteSearch&sthkw=avivah%20litan&fnl=search&srcId=1-3478922254).
September 2015.
17. "Gartner: Hype Cycle for Infrastructure Protection, 2016" (https://www.gartner.com/doc/336741
7?ref=SiteSearch&sthkw=hype%20cycle%20for%20infrastructure&fnl=search&srcId=1-347892
2254).
18. "Gartner: Defining Intrusion Detection and Prevention Systems" (https://www.gartner.com/doc/3
449317?ref=SiteSearch&sthkw=intrusion%20detection&fnl=search&srcId=1-3478922254).
Retrieved 2016-09-20.
19. Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention
Systems (IDPS)" (https://web.archive.org/web/20100601171625/http://csrc.ncsl.nist.gov/publica
tions/nistpubs/800-94/SP800-94.pdf) (PDF). Computer Security Resource Center (800–94).
Archived from the original (http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf)
(PDF) on 1 June 2010. Retrieved 1 January 2010.
20. "NIST – Guide to Intrusion Detection and Prevention Systems (IDPS)" (http://csrc.nist.gov/publi
cations/nistpubs/800-94/SP800-94.pdf) (PDF). February 2007. Retrieved 2010-06-25.
21. Robert C. Newman (19 February 2009). Computer Security: Protecting Digital Resources (http
s://books.google.com/books?id=RgSBGXKXuzsC). Jones & Bartlett Learning. ISBN 978-0-
7637-5994-0. Retrieved 25 June 2010.
22. Michael E. Whitman; Herbert J. Mattord (2009). Principles of Information Security (https://books.
google.com/books?id=gPonBssSm0kC). Cengage Learning EMEA. ISBN 978-1-4239-0177-8.
Retrieved 25 June 2010.
23. Tim Boyles (2010). CCNA Security Study Guide: Exam 640-553 (https://books.google.com/boo
ks?id=AHzAcvHWbx4C&pg=PA249). John Wiley and Sons. p. 249. ISBN 978-0-470-52767-2.
Retrieved 29 June 2010.
24. Harold F. Tipton; Micki Krause (2007). Information Security Management Handbook (https://boo
ks.google.com/books?id=B0Lwc6ZEQhcC&pg=PA1000). CRC Press. p. 1000. ISBN 978-1-
4200-1358-0. Retrieved 29 June 2010.
25. John R. Vacca (2010). Managing Information Security (https://books.google.com/books?id=uw
Kkb-kpmksC&pg=PA137). Syngress. p. 137. ISBN 978-1-59749-533-2. Retrieved 29 June
2010.
26. Engin Kirda; Somesh Jha; Davide Balzarotti (2009). Recent Advances in Intrusion Detection:
12th International Symposium, RAID 2009, Saint-Malo, France, September 23–25, 2009,
Proceedings (https://books.google.com/books?id=DVuQbKQM3UwC&pg=PA162). Springer.
p. 162. ISBN 978-3-642-04341-3. Retrieved 29 June 2010.
27. nitin.; Mattord, verma (2008). Principles of Information Security (https://archive.org/details/princi
plesofinfo0000whit/page/290). Course Technology. pp. 290–301 (https://archive.org/details/prin
ciplesofinfo0000whit/page/290). ISBN 978-1-4239-0177-8.
28. "IDS Best Practices" (https://cybersecurity.att.com/resource-center/videos/ids-best-practices).
cybersecurity.att.com. Retrieved 2020-06-26.
29. Richardson, Stephen (2020-02-24). "IDS Placement - CCIE Security" (https://www.ccexpert.us/
ccie-security/ids-placement.html). Cisco Certified Expert. Retrieved 2020-06-26.
30. Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed
Systems (https://archive.org/details/securityengineer00ande/page/387). New York: John Wiley
& Sons. pp. 387–388 (https://archive.org/details/securityengineer00ande/page/387). ISBN 978-
0-471-38922-4.
31. http://www.giac.org/paper/gsec/235/limitations-network-intrusion-detection/100739
32. Hawedi, Mohamed; Talhi, Chamseddine; Boucheneb, Hanifa (2018-09-01). "Multi-tenant
intrusion detection system for public cloud (MTIDS)" (https://dx.doi.org/10.1007/s11227-018-25
72-6). The Journal of Supercomputing. 74 (10): 5199–5230. doi:10.1007/s11227-018-2572-6 (h
ttps://doi.org/10.1007%2Fs11227-018-2572-6). ISSN 0920-8542 (https://www.worldcat.org/issn/
0920-8542). S2CID 52272540 (https://api.semanticscholar.org/CorpusID:52272540).
33. Anderson, James P., "Computer Security Threat Monitoring and Surveillance," Washing, PA,
James P. Anderson Co., 1980.
34. David M. Chess; Steve R. White (2000). "An Undetectable Computer Virus". Proceedings of
Virus Bulletin Conference. CiteSeerX 10.1.1.25.1508 (https://citeseerx.ist.psu.edu/viewdoc/sum
mary?doi=10.1.1.25.1508).
35. Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh IEEE
Symposium on Security and Privacy, May 1986, pages 119–131
36. Lunt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings of the
Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy, November 22–
23, 1990, pages 110–121.
37. Lunt, Teresa F., "Detecting Intruders in Computer Systems," 1993 Conference on Auditing and
Computer Technology, SRI International
38. Sebring, Michael M., and Whitehurst, R. Alan., "Expert Systems in Intrusion Detection: A Case
Study," The 11th National Computer Security Conference, October, 1988
39. Smaha, Stephen E., "Haystack: An Intrusion Detection System," The Fourth Aerospace
Computer Security Applications Conference, Orlando, FL, December, 1988
40. McGraw, Gary (May 2007). "Silver Bullet Talks with Becky Bace" (https://web.archive.org/web/2
0170419191922/https://www.cigital.com/silver-bullet-files/shows/silverbullet-012-bbace.pdf)
(PDF). IEEE Security & Privacy Magazine. 5 (3): 6–9. doi:10.1109/MSP.2007.70 (https://doi.org/
10.1109%2FMSP.2007.70). Archived from the original (https://www.cigital.com/silver-bullet-file
s/shows/silverbullet-012-bbace.pdf) (PDF) on 19 April 2017. Retrieved 18 April 2017.
41. Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session Activity," The
1989 IEEE Symposium on Security and Privacy, May, 1989
42. Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection
Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and
Privacy
43. Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N., Mukherjee, Biswanath, Wood, Jeff, and
Wolber, David, "A Network Security Monitor," 1990 Symposium on Research in Security and
Privacy, Oakland, CA, pages 296–304
44. Winkeler, J.R., "A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks,"
The Thirteenth National Computer Security Conference, Washington, DC., pages 115–124,
1990
45. Dowell, Cheri, and Ramstedt, Paul, "The ComputerWatch Data Reduction Tool," Proceedings
of the 13th National Computer Security Conference, Washington, D.C., 1990
46. Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho,
Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel
M. and Mansur, Doug, "DIDS (Distributed Intrusion Detection System) -- Motivation,
Architecture, and An Early Prototype," The 14th National Computer Security Conference,
October, 1991, pages 167–176.
47. Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., "A Phased Approach to Network
Intrusion Detection," 14th National Computing Security Conference, 1991
48. Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time," Proceedings of
the 7th USENIX Security Symposium, San Antonio, TX, 1998
49. Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance, Correlation,
Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New Jersey, 1999, ISBN 0-
9666700-7-8
50. Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr. Everett F. (Skip), Jr., Esler, Joel., Foster,
James C., Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and IPS Toolkit," Syngress,
2007, ISBN 978-1-59749-099-3
51. Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, and Wu, Ningning, "ADAM:
Detecting Intrusions by Data Mining," Proceedings of the IEEE Workshop on Information
Assurance and Security, West Point, NY, June 5–6, 2001
52. Intrusion Detection Techniques for Mobile Wireless Networks, ACM WINET 2003
<http://www.cc.gatech.edu/~wenke/papers/winet03.pdf>
53. Viegas, E.; Santin, A. O.; Fran?a, A.; Jasinski, R.; Pedroni, V. A.; Oliveira, L. S. (2017-01-01).
"Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded
Systems". IEEE Transactions on Computers. 66 (1): 163–177. doi:10.1109/TC.2016.2560839
(https://doi.org/10.1109%2FTC.2016.2560839). ISSN 0018-9340 (https://www.worldcat.org/iss
n/0018-9340). S2CID 20595406 (https://api.semanticscholar.org/CorpusID:20595406).
54. França, A. L.; Jasinski, R.; Cemin, P.; Pedroni, V. A.; Santin, A. O. (2015-05-01). The energy
cost of network security: A hardware vs. software comparison. 2015 IEEE International
Symposium on Circuits and Systems (ISCAS). pp. 81–84. doi:10.1109/ISCAS.2015.7168575
(https://doi.org/10.1109%2FISCAS.2015.7168575). ISBN 978-1-4799-8391-9. S2CID 6590312
(https://api.semanticscholar.org/CorpusID:6590312).
55. França, A. L. P. d; Jasinski, R. P.; Pedroni, V. A.; Santin, A. O. (2014-07-01). Moving Network
Protection from Software to Hardware: An Energy Efficiency Analysis. 2014 IEEE Computer
Society Annual Symposium on VLSI. pp. 456–461. doi:10.1109/ISVLSI.2014.89 (https://doi.org/
10.1109%2FISVLSI.2014.89). ISBN 978-1-4799-3765-3. S2CID 12284444 (https://api.semanti
cscholar.org/CorpusID:12284444).
56. "Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded
Systems" (https://secplab.ppgia.pucpr.br/files/papers/2016-1.pdf) (PDF). SecPLab.

This article incorporates public domain material from the National Institute of Standards and Technology
document: Karen Scarfone, Peter Mell. "Guide to Intrusion Detection and Prevention Systems, SP800-94" (htt
p://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf) (PDF). Retrieved 1 January 2010.

Further reading
 Bace, Rebecca Gurley (2000). Intrusion Detection (https://archive.org/details/intrusiondetecti00r
ebe). Indianapolis, IN: Macmillan Technical. ISBN 978-1578701858.
Bezroukov, Nikolai (11 December 2008). "Architectural Issues of Intrusion Detection
Infrastructure in Large Enterprises (Revision 0.82)" (http://www.softpanorama.org/Articles/archit
ectural_issues_of_intrusion_detection_infrastructure.shtml). Softpanorama. Retrieved 30 July
2010.
P.M. Mafra and J.S. Fraga and A.O. Santin (2014). "Algorithms for a distributed IDS in
MANETs" (https://doi.org/10.1016%2Fj.jcss.2013.06.011). Journal of Computer and System
Sciences. 80 (3): 554–570. doi:10.1016/j.jcss.2013.06.011 (https://doi.org/10.1016%2Fj.jcss.20
13.06.011).
Hansen, James V.; Benjamin Lowry, Paul; Meservy, Rayman; McDonald, Dan (2007). "Genetic
programming for prevention of cyberterrorism through dynamic and evolving intrusion
detection". Decision Support Systems (DSS). 43 (4): 1362–1374.
doi:10.1016/j.dss.2006.04.004 (https://doi.org/10.1016%2Fj.dss.2006.04.004). SSRN 877981
(https://ssrn.com/abstract=877981).
Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention
Systems (IDPS)" (https://web.archive.org/web/20100601171625/http://csrc.ncsl.nist.gov/publica
tions/nistpubs/800-94/SP800-94.pdf) (PDF). Computer Security Resource Center (800–94).
Archived from the original (http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf)
(PDF) on 1 June 2010. Retrieved 1 January 2010.
Saranya, J.; Padmavathi, G. (2015). "A Brief Study on Different Intrusions and Machine
Learning-based Anomaly Detection Methods in Wireless Sensor Networks" (http://ijana.in/pape
rs/V6I4-10.pdf) (PDF). Avinashilingam Institute for Home Science and Higher Education for
Women. 6 (4). Retrieved 4 April 2015.
Singh, Abhishek. "Evasions In Intrusion Prevention Detection Systems" (http://www.virusbtn.co
m/virusbulletin/archive/2010/04/vb201004-evasions-in-IPS-IDS). Virus Bulletin. Retrieved
1 April 2010.

External links
Intrusion Detection Systems (https://curlie.org/Computers/Security/Intrusion_Detection_System
s) at Curlie
Common vulnerabilities and exposures (CVE) by product (https://web.archive.org/web/201607
02013752/http://cve.mitre.org/compatible/product.html)
NIST SP 800-83, Guide to Malware Incident Prevention and Handling (http://csrc.nist.gov/publi
cations/nistpubs/index.html)
NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) (http://csrc.nist.g
ov/publications/nistpubs/index.html)
Study by Gartner "Magic Quadrant for Network Intrusion Prevention System Appliances" (http://
www.gartner.com/DisplayDocument?doc_cd=208628)

Retrieved from "https://en.wikipedia.org/w/index.php?title=Intrusion_detection_system&oldid=1010631534"

This page was last edited on 6 March 2021, at 13:49 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this
site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia
Foundation, Inc., a non-profit organization.