What Is a Network Intrusion Detection System?
A network intrusion detection system (NIDS) refers to a combination of software and hardware that detects the behavior of endangering computer systems, such as collecting vulnerability information, causing denial of access, and gaining control of systems beyond the legal scope. [1]
- Network intrusion detection systems usually include three necessary functional components: information source, analysis engine, and response component.
- Information source : It is responsible for collecting various information of the detected network or system, and providing these information as data to the IDS analysis engine component.
- Analysis engine : It uses statistics or rules to find possible intrusions and provides events to the following response components.
- Response component : It takes due action based on the output of the analysis engine and usually has automated mechanisms such as proactively notifying system administrators, interrupting intruder connections, and collecting intrusion information. [1]
- (1) Monitor and analyze the activities of users and systems.
- (2) Verification
- (1) Able to detect attacks from the network and illegal access exceeding authorization.
- (2) There is no need to change the configuration of the host such as the server, nor will it affect the performance of the host. Because this detection technology will not
- (1) The false / false negative rate is high. Intrusion detection system (IDS) commonly used detection methods are feature detection, anomaly detection, state detection, and protocol analysis. These detection methods have certain shortcomings. Therefore, technically speaking, the IDS system does not have a good method and mature solution to identify large-scale combined and distributed intrusion attacks. False positives and false negatives are serious, and users are often drowned in mass Alarm information, and miss the real alarm.
- (2) There is no active defense capability. IDS technology uses a preset, characteristic analysis type of working principle, so the update of detection rules always lags behind the update of attack methods.
- (3) Lack of accurate positioning and processing mechanisms. IDS can only identify IP addresses, cannot locate IP addresses, and cannot identify data sources. IDS can only close a few ports such as network exits and servers when it detects an attack event, but such a shutdown will also affect the use of other normal users, and it lacks a more effective response processing mechanism.
- (4) Performance is generally insufficient. Most of the IDS products on the market today use feature detection technology. This IDS product can no longer adapt to the development of switching technology and high-bandwidth environments. It may cause IDS paralysis or packet loss in the case of large traffic shocks and multiple IP fragments To form a DoS attack. [1]