Myth # 1

IDS can handle network attacks automatically

No. IDS can only assist a human being to investigate and detect any potential network attack undergoing in the network. Its still relies on the network administrator to hande the suspicious incidents.

Myth # 2

Network based IDS can effectively monitor all network traffic of the network segment under investigation.

No.  As the modern network is getting faster and faster in bandwidth (considering Ethernet moving from 10Mb/s to now  there are some networks running at 1000 Mb/s Ethernet speed), it is very unlikely an ordinary network tap can capture all network packets for analysis. Failing to do so actually leads to the potential overlooking of network abnormal traffic patterns.

Myth # 3

No Alarm means there is no intrusion

No. For sure, IDS could fail to detect intrusion activities for the following reasons:

1) It fails to capture ALL network traffic (Myth #2)

2) It fails to identify the suspicious traffic pattern (due to the lack of related traffic pattern information in the pattern file)

This phenomenon is “False Negative” (in which an actual intrusion is not detected)

Myth #4:

If there is alarm, there must be intrusions.

No. Like most other detecting devices, there could be  cases for “False Positives” to happen. That is, IDS signals you there are intrusions but actually there is none. IDS can be too sensitive in detecting some network patterns that is unrelated to network attacks.

Related Topics: IDS, Intrusion Detection System,Myths of IDS, Network Mis-use, False Positive, False Negative