Modern computerized systems all over the world are often threatened by intrusive attacks. Some attacks are targeted at a specific computer or network for a specific purpose, such as causing targeted damage or collecting specific information. Other attacks, however, are more general and are targeted at a wide range of computers, networks and users.
Intrusion detection systems are constantly attempting to detect intrusive attacks and generate alerts whenever an intrusive attack is identified.
Typical intrusion detection systems are signature-based and/or protocol-analysis based. Such systems typically include a subset of: port assignment, port following, protocol tunneling detection, protocol analysis, Transmission Control Protocol (TCP) reassembly, flow assembly, statistical threshold analysis, pattern matching and the like.
One typical problem associated with attack detection relates to the tradeoff between the effort required for collecting and analyzing a lot of information, which may also generate many false positive alerts, and collecting a smaller amount of information which may miss attacks and be subject to false negative indications.
False negative situations may therefore occur if the intrusion detection is too tolerant, and may thus miss malicious attacks and prove ineffective. Too strict detection, on the other hand, may identify legitimate activities as suspicious, activate prevention measures and disturb the normal work flow of a system, a user, or an organization. Too strict detection and prevention may also require more resources, such as computing time, computing power, storage, and others, required for collecting the information and processing it.