An organization's local area networks (LANs) typically communicate with a wide area network (WAN), such as the Internet. Such connections to WANs, which are typically outside the enterprise, leave the LANs vulnerable to intrusion attack.
An Intrusion Detection System (IDS) allows detection of an actual or attempted unauthorized access into an organization's computer network. Even though existing IDSs are very useful in intrusion detection, they generally suffer from false positives (i.e. generating an alert when there is really none) and false negatives (i.e. failing to generate an alert even though an intrusion is underway). In addition, IDS systems frequently do not provide capability for forensic analysis once an attack is detected.
Intrusion attacks typically originate from outside an organization's network, in that they are directed into an organization's network via its “connection” to the outside world—which is typically the WAN interface. However, since existing IDSs are typically located on a LAN, the IDS typically sees a mixture of internal traffic, which is generally safe, and external traffic, which potentially contains intrusion attacks. Due to IDS limitations, there are circumstances when benign, internal traffic can sometimes be wrongly interpreted by an IDS to be an intrusion attack, thereby resulting in a false positive.
IDSs have to process a large amount of traffic in order to uncover intrusion attacks. However, due to performance limitations, they are likely to drop some traffic. There is a reasonable probability that this “dropped traffic” contains valuable, intrusion-related information that would have caused the IDS to issue an alert. Hence, due performance limitations, an IDS could potentially generate a false negative even while an intrusion is underway.
Existing IDSs are primarily focused in flagging attacks. Some IDSs provide event logs that give a limited historical view of the events that triggered an alert.