IDS glossary

By David Newman and Joel Snyder

Network World, 06/24/02

Anomaly-based IDS: An IDS that measures a "normal" baseline and then reports exceptions to that baseline as possible attacks.

False positive: A report of an attack or attempted attack when no vulnerability existed or no compromise occurred.

False negative: The failure of an IDS to report an instance in which an attacker successfully compromises a host or network.

Host intrusion-detection system (HIDS): Reports only on security incidents for the host on which it runs. See also NIDS; the only quantitative difference between HIDS and NIDS might be the volume of traffic each sees.

Honeypot: A host or network with known vulnerabilities deliberately exposed to a public network. Honeypots are useful in studying attackers' behavior and also in drawing attention away from other potential targets.

Intrusion detection and prevention (IDP): A term used by OneSecure and other vendors of in-line IDS devices. By virtue of their location in front of a protected network, IDP devices are supposed to intercept and stop attacks before they occur.

Intrusion-detection system (IDS): A collection of one or more sensors and zero or more instances of management software used to detect and report the existence of security vulnerabilities.

In-line monitoring: A configuration in which an IDP device works as a switch in front of a protected network. In this configuration, the IDP devices prefilter traffic before it reaches hosts on the protected network. In contrast, most IDS devices use passive monitoring, which means they observe traffic but do not attempt to control access.

Network intrusion-detection system (NIDS): Monitors traffic on networks and logs suspicious behavior. See also HIDS; the only quantitative difference between HIDS and NIDS might be the volume of traffic each sees.

Precision and recall: A database query with high precision returns everything the user requested and omits nothing. A database query with high recall returns only what the user requested and omits everything else. Databases usually have high precision or high recall but not both. In querying an IDS's database, it is usually necessary to construct filters that strike a balance between high precision and high recall.

Sensor: The computer that monitors the network for intrusion attempts. Some sensors store all records locally, while others send reports to a console application or back-end database. Sensors usually run in promiscuous mode, often without an IP address.

Signature-based IDS: An IDS that uses pattern-matching algorithms to compare traffic with a library of known attacks. A match indicates a possible attack.

Stateful matching: A means of attack detection in which the IDS keeps track of connection state. For example, a stateful-matching IDS won't flag an HTTP attack if it wasn't preceded by a TCP handshake.