An intrusion detection system (IDS) is a device or software application that monitors

a network or systems for malicious activity or policy violations. Any detected activity or
violation is typically reported either to an administrator or collected centrally using a
security information and event management (SIEM) system. A SIEM system combines
outputs from multiple sources, and uses alarm filtering techniques to distinguish
malicious activity from false alarms.

There is a wide spectrum of IDS, varying from antivirus software to hierarchical

systems that monitor the traffic of an entire backbone network. The most common
classifications are network intrusion detection systems (NIDS) and host-based
intrusion detection systems (HIDS). A system that monitors important operating
system files is an example of a HIDS, while a system that analyzes incoming network
traffic is an example of a NIDS. It is also possible to classify IDS by detection
approach: the most well-known variants are signature-based detection (recognizing
bad patterns, such as malware) and anomaly-based detection (detecting deviations
from a model of "good" traffic, which often relies on machine learning). Some IDS have
the ability to respond to detected intrusions. Systems with response capabilities are
typically referred to as an intrusion prevention system.

Comparison with firewalls

Though they both relate to network security, an IDS differs from a firewall in that a
firewall looks outwardly for intrusions in order to stop them from happening. Firewalls
limit access between networks to prevent intrusion and do not signal an attack from
inside the network. An IDS evaluates a suspected intrusion once it has taken place and
signals an alarm. An IDS also watches for attacks that originate from within a system.
This is traditionally achieved by examining network communications, identifying
heuristics and patterns (often known as signatures) of common computer attacks, and
taking action to alert operators. A system that terminates connections is called an
intrusion prevention system, and is another form of an application layer firewall.

Intrusion detection

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 1 of 15
 IDS can be classified by where detection takes place (network or host) and the
detection method that is employed.

Analyzed activity

Network intrusion detection systems

Network intrusion detection systems (NIDS) are placed at a strategic point or points
within the network to monitor traffic to and from all devices on the network. It performs
an analysis of passing traffic on the entire subnet, and matches the traffic that is
passed on the subnets to the library of known attacks. Once an attack is identified, or
abnormal behavior is sensed, the alert can be sent to the administrator. An example of
an NIDS would be installing it on the subnet where firewalls are located in order to see
if someone is trying to break into the firewall. Ideally one would scan all inbound and
outbound traffic, however doing so might create a bottleneck that would impair the
overall speed of the network. OPNET and NetSim are commonly used tools for
simulating network intrusion detection systems. NID Systems are also capable of
comparing signatures for similar packets to link and drop harmful detected packets
which have a signature matching the records in the NIDS. When we classify the design
of the NIDS according to the system interactivity property, there are two types: on-line
and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS
deals with the network in real time. It analyses the Ethernet packets and applies some
rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes
it through some processes to decide if it is an attack or not.[1]

Host intrusion detection systems

Main article: Host-based intrusion detection system

Host intrusion detection systems (HIDS) run on individual hosts or devices on the
network. A HIDS monitors the inbound and outbound packets from the device only
and will alert the user or administrator if suspicious activity is detected. It takes a
snapshot of existing system files and matches it to the previous snapshot. If the critical
system files were modified or deleted, an alert is sent to the administrator to
investigate. An example of HIDS usage can be seen on mission critical machines,
which are not expected to change their configurations.

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 2 of 15
 Intrusion detection systems can also be system-specific using custom tools and
honeypots.

Detection method

Signature-based

Signature-based IDS refers to the detection of attacks by looking for specific patterns,
such as byte sequences in network traffic, or known malicious instruction sequences
used by malware.[2] This terminology originates from anti-virus software, which refers
to these detected patterns as signatures. Although signature-based IDS can easily
detect known attacks, it is impossible to detect new attacks, for which no pattern is
available.

Anomaly-based

Anomaly-based intrusion detection systems were primarily introduced to detect

unknown attacks, in part due to the rapid development of malware. The basic
approach is to use machine learning to create a model of trustworthy activity, and then
compare new behavior against this model. Although this approach enables the
detection of previously unknown attacks, it may suffer from false positives: previously
unknown legitimate activity may also be classified as malicious.

New types of what could be called anomaly-based intrusion detection systems are
being viewed by Gartner as User and Entity Behavior Analytics (UEBA)[3] (an evolution
of the user behavior analytics category) and network traffic analysis (NTA).[4] In
particular, NTA deals with malicious insiders as well as targeted external attacks that
have compromised a user machine or account. Gartner has noted that some
organizations have opted for NTA over more traditional IDS.[5]

Intrusion prevention

Some systems may attempt to stop an intrusion attempt but this is neither required nor
expected of a monitoring system. Intrusion detection and prevention systems (IDPS)
are primarily focused on identifying possible incidents, logging information about them,

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 3 of 15
 and reporting attempts. In addition, organizations use IDPS for other purposes, such
as identifying problems with security policies, documenting existing threats and
deterring individuals from violating security policies. IDPS have become a necessary
addition to the security infrastructure of nearly every organization.[6]

IDPS typically record information related to observed events, notify security

administrators of important observed events and produce reports. Many IDPS can also
respond to a detected threat by attempting to prevent it from succeeding. They use
several response techniques, which involve the IDPS stopping the attack itself,
changing the security environment (e.g. reconfiguring a firewall) or changing the
attack's content.[6]

Intrusion prevention systems (IPS), also known as intrusion detection and

prevention systems (IDPS), are network security appliances that monitor network or
system activities for malicious activity. The main functions of intrusion prevention
systems are to identify malicious activity, log information about this activity, report it
and attempt to block or stop it.[7].

Intrusion prevention systems are considered extensions of intrusion detection systems

because they both monitor network traffic and/or system activities for malicious
activity. The main differences are, unlike intrusion detection systems, intrusion
prevention systems are placed in-line and are able to actively prevent or block
intrusions that are detected.[8]:273[9]:289 IPS can take such actions as sending an alarm,
dropping detected malicious packets, resetting a connection or blocking traffic from
the offending IP address.[10] An IPS also can correct cyclic redundancy check (CRC)
errors, defragment packet streams, mitigate TCP sequencing issues, and clean up
unwanted transport and network layer options.[8]:278[11].

Classification

Intrusion prevention systems can be classified into four different types:[7][12]

1. Network-based intrusion prevention system (NIPS): monitors the entire network

for suspicious traffic by analyzing protocol activity.

2. Wireless intrusion prevention system (WIPS): monitor a wireless network for

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 4 of 15
 suspicious traffic by analyzing wireless networking protocols.

3. Network behavior analysis (NBA): examines network traffic to identify threats that
generate unusual traffic flows, such as distributed denial of service (DDoS) attacks,
certain forms of malware and policy violations.

4. Host-based intrusion prevention system (HIPS): an installed software package

which monitors a single host for suspicious activity by analyzing events occurring
within that host.

Detection methods

The majority of intrusion prevention systems utilize one of three detection methods:
signature-based, statistical anomaly-based, and stateful protocol analysis.[9]:301[13]

1. Signature-based detection: Signature-based IDS monitors packets in the Network

and compares with pre-configured and pre-determined attack patterns known as
signatures.

2. Statistical anomaly-based detection: An IDS which is anomaly-based will monitor

network traffic and compare it against an established baseline. The baseline will
identify what is "normal" for that network – what sort of bandwidth is generally used
and what protocols are used. It may however, raise a False Positive alarm for legitimate
use of bandwidth if the baselines are not intelligently configured.[14]

3. Stateful protocol analysis detection: This method identifies deviations of protocol

states by comparing observed events with "pre-determined profiles of generally
accepted definitions of benign activity".[9]

Limitations

Noise can severely limit an intrusion detection system's effectiveness. Bad packets
generated from software bugs, corrupt DNS data, and local packets that escaped
can create a significantly high false-alarm rate.[15]

It is not uncommon for the number of real attacks to be far below the number of
false-alarms. Number of real attacks is often so far below the number of false-alarms
that the real attacks are often missed and ignored.[15]

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 5 of 15
 Many attacks are geared for specific versions of software that are usually outdated.
A constantly changing library of signatures is needed to mitigate threats. Outdated
signature databases can leave the IDS vulnerable to newer strategies.[15]

For signature-based IDS, there will be lag between a new threat discovery and its
signature being applied to the IDS. During this lag time, the IDS will be unable to
identify the threat.[14]

It cannot compensate for weak identification and authentication mechanisms or for

weaknesses in network protocols. When an attacker gains access due to weak
authentication mechanisms then IDS cannot prevent the adversary from any
malpractice.

Encrypted packets are not processed by most intrusion detection devices.

Therefore, the encrypted packet can allow an intrusion to the network that is
undiscovered until more significant network intrusions have occurred.

Intrusion detection software provides information based on the network address that
is associated with the IP packet that is sent into the network. This is beneficial if the
network address contained in the IP packet is accurate. However, the address that is
contained in the IP packet could be faked or scrambled.

Due to the nature of NIDS systems, and the need for them to analyse protocols as
they are captured, NIDS systems can be susceptible to the same protocol-based
attacks to which network hosts may be vulnerable. Invalid data and TCP/IP stack
attacks may cause an NIDS to crash.[16]

Evasion techniques

Main article: Intrusion detection system evasion techniques

There are a number of techniques which attackers are using, the following are
considered 'simple' measures which can be taken to evade IDS:

Fragmentation: by sending fragmented packets, the attacker will be under the radar
and can easily bypass the detection system's ability to detect the attack signature.

Avoiding defaults: The TCP port utilised by a protocol does not always provide an
indication to the protocol which is being transported. For example, an IDS may

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 6 of 15
 expect to detect a trojan on port 12345. If an attacker had reconfigured it to use a
different port, the IDS may not be able to detect the presence of the trojan.

Coordinated, low-bandwidth attacks: coordinating a scan among numerous

attackers (or agents) and allocating different ports or hosts to different attackers
makes it difficult for the IDS to correlate the captured packets and deduce that a
network scan is in progress.

Address spoofing/proxying: attackers can increase the difficulty of the ability of

Security Administrators to determine the source of the attack by using poorly
secured or incorrectly configured proxy servers to bounce an attack. If the source is
spoofed and bounced by a server, it makes it very difficult for IDS to detect the origin
of the attack.

Pattern change evasion: IDS generally rely on 'pattern matching' to detect an attack.
By changing the data used in the attack slightly, it may be possible to evade
detection. For example, an Internet Message Access Protocol (IMAP) server may be
vulnerable to a buffer overflow, and an IDS is able to detect the attack signature of
10 common attack tools. By modifying the payload sent by the tool, so that it does
not resemble the data that the IDS expects, it may be possible to evade detection.

Development

The earliest preliminary IDS concept was delineated in 1980 by James Anderson at the
National Security Agency and consisted of a set of tools intended to help
administrators review audit trails.[17] User access logs, file access logs, and system
event logs are examples of audit trails.

Fred Cohen noted in 1987 that it is impossible to detect an intrusion in every case, and
that the resources needed to detect intrusions grow with the amount of usage.[18]

Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in

1986 that formed the basis for many systems today.[19] Her model used statistics for
anomaly detection, and resulted in an early IDS at SRI International named the
Intrusion Detection Expert System (IDES), which ran on Sun workstations and could
consider both user and network level data.[20] IDES had a dual approach with a rule-
based Expert System to detect known types of intrusions plus a statistical anomaly

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 7 of 15
 detection component based on profiles of users, host systems, and target systems.
Lunt proposed adding an Artificial neural network as a third component. She said all
three components could then report to a resolver. SRI followed IDES in 1993 with the
Next-generation Intrusion Detection Expert System (NIDES).[21]

The Multics intrusion detection and alerting system (MIDAS), an expert system using
P-BEST and Lisp, was developed in 1988 based on the work of Denning and
Neumann.[22] Haystack was also developed in that year using statistics to reduce audit
trails.[23]

In 1986 the National Security Agency started an IDS research transfer program under
Rebecca Bace. Bace later published the seminal text on the subject, Intrusion
Detection, in 2000.[24]

Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at
the Los Alamos National Laboratory.[25] W&S created rules based on statistical
analysis, and then used those rules for anomaly detection.

In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using
inductive learning of sequential user patterns in Common Lisp on a VAX 3500
computer.[26] The Network Security Monitor (NSM) performed masking on access
matrices for anomaly detection on a Sun-3/50 workstation.[27] The Information Security
Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies
including statistics, a profile checker, and an expert system.[28] ComputerWatch at
AT&T Bell Labs used statistics and rules for audit data reduction and intrusion
detection.[29]

Then, in 1991, researchers at the University of California, Davis created a prototype

Distributed Intrusion Detection System (DIDS), which was also an expert system.[30]
The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a
prototype IDS developed at the Los Alamos National Laboratory's Integrated
Computing Network (ICN), and was heavily influenced by the work of Denning and
Lunt.[31] NADIR used a statistics-based anomaly detector and an expert system.

The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its
own rule language for packet analysis from libpcap data.[32] Network Flight Recorder

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 8 of 15
 (NFR) in 1999 also used libpcap.[33]

APE was developed as a packet sniffer, also using libpcap, in November, 1998, and
was renamed Snort one month later. Snort has since become the world's largest used
IDS/IPS system with over 300,000 active users.[34] It can monitor both local systems,
and remote capture points using the TZSP protocol.

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build
profiles of rules for classifications.[35] In 2003, Yongguang Zhang and Wenke Lee argue
for the importance of IDS in networks with mobile nodes.[36]

In 2015, Viegas and his colleagues [37] proposed an anomaly-based intrusion detection
engine, aiming System-on-Chip (SoC) for applications in Internet of Things (IoT), for
instance. The proposal applies machine learning for anomaly detection, providing
energy-efficiency to a Decision Tree, Naive-Bayes, and k-Nearest Neighbors classifiers
implementation in an Atom CPU and its hardware-friendly implementation in a
FPGA.[38][39] In the literature, this was the first work that implement each classifier
equivalently in software and hardware and measures its energy consumption on both.
Additionally, it was the first time that was measured the energy consumption for
extracting each features used to make the network packet classification, implemented
in software and hardware.[40]

Free and open source systems

ACARM-ng

AIDE

Bro NIDS

Fail2ban

OSSEC HIDS

Prelude Hybrid IDS

Sagan

Samhain

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 9 of 15
 Snort

Suricata

See also

Application protocol-based intrusion detection system (APIDS)

Artificial immune system

Bypass switch

Denial-of-service attack

DNS analytics

Intrusion Detection Message Exchange Format

Protocol-based intrusion detection system (PIDS)

Real-time adaptive security

Security management

Software-defined protection

References

1. Abdullah A. Mohamed, "Design Intrusion Detection System Based On Image Block

Matching", International Journal of Computer and Communication Engineering, IACSIT
Press, Vol. 2, No. 5, September 2013.

2. Brandon Lokesak (December 4, 2008). "A Comparison Between Signature Based

and Anomaly Based Intrusion Detection Systems" (PPT). www.iup.edu.

3. "Gartner report: Market Guide for User and Entity Behavior Analytics" . September
2015.

4. "Gartner: Hype Cycle for Infrastructure Protection, 2016" .

5. "Gartner: Defining Intrusion Detection and Prevention Systems" . Retrieved

September 20, 2016.

6. Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 10 of 15
 Prevention Systems (IDPS)" (PDF). Computer Security Resource Center. National
Institute of Standards and Technology (800–94). Retrieved 1 January 2010.

7. "NIST – Guide to Intrusion Detection and Prevention Systems (IDPS)" (PDF).

February 2007. Retrieved 2010-06-25.

8. Robert C. Newman (19 February 2009). Computer Security: Protecting Digital

Resources . Jones & Bartlett Learning. ISBN 978-0-7637-5994-0. Retrieved 25 June
2010.

9. Michael E. Whitman; Herbert J. Mattord (2009). Principles of Information Security .

Cengage Learning EMEA. ISBN 978-1-4239-0177-8. Retrieved 25 June 2010.

10. Tim Boyles (2010). CCNA Security Study Guide: Exam 640-553 . John Wiley and
Sons. p. 249. ISBN 978-0-470-52767-2. Retrieved 29 June 2010.

11. Harold F. Tipton; Micki Krause (2007). Information Security Management

Handbook . CRC Press. p. 1000. ISBN 978-1-4200-1358-0. Retrieved 29 June 2010.

12. John R. Vacca (2010). Managing Information Security . Syngress. p. 137.

ISBN 978-1-59749-533-2. Retrieved 29 June 2010.

13. Engin Kirda; Somesh Jha; Davide Balzarotti (2009). Recent Advances in Intrusion
Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September
23–25, 2009, Proceedings . Springer. p. 162. ISBN 978-3-642-04341-3. Retrieved
29 June 2010.

14. nitin.; Mattord, verma (2008). Principles of Information Security. Course

Technology. pp. 290–301. ISBN 978-1-4239-0177-8.

15. Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable

Distributed Systems. New York: John Wiley & Sons. pp. 387–388. ISBN 978-0-471-
38922-4.

16. http://www.giac.org/paper/gsec/235/limitations-network-intrusion-
detection/100739

17. Anderson, James P., "Computer Security Threat Monitoring and Surveillance,"
Washing, PA, James P. Anderson Co., 1980.

18. David M. Chess; Steve R. White (2000). "An Undetectable Computer Virus" .
Proceedings of Virus Bulletin Conference.

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 11 of 15
 Proceedings of Virus Bulletin Conference.

19. Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh
IEEE Symposium on Security and Privacy, May 1986, pages 119–131

20. Lunt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings
of the Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy,
November 22–23, 1990, pages 110–121.

21. Lunt, Teresa F., "Detecting Intruders in Computer Systems," 1993 Conference on
Auditing and Computer Technology, SRI International

22. Sebring, Michael M., and Whitehurst, R. Alan., "Expert Systems in Intrusion
Detection: A Case Study," The 11th National Computer Security Conference, October,
1988

23. Smaha, Stephen E., "Haystack: An Intrusion Detection System," The Fourth
Aerospace Computer Security Applications Conference, Orlando, FL, December, 1988

24. McGraw, Gary (May 2007). "Silver Bullet Talks with Becky Bace" (PDF). IEEE
Security & Privacy Magazine. 5 (3): 6–9. doi:10.1109/MSP.2007.70 . Retrieved 18 April
2017.

25. Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session
Activity," The 1989 IEEE Symposium on Security and Privacy, May, 1989

26. Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly
Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on
Security and Privacy

27. Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N., Mukherjee, Biswanath, Wood,
Jeff, and Wolber, David, "A Network Security Monitor," 1990 Symposium on Research
in Security and Privacy, Oakland, CA, pages 296–304

28. Winkeler, J.R., "A UNIX Prototype for Intrusion and Anomaly Detection in Secure
Networks," The Thirteenth National Computer Security Conference, Washington, DC.,
pages 115–124, 1990

29. Dowell, Cheri, and Ramstedt, Paul, "The ComputerWatch Data Reduction Tool,"
Proceedings of the 13th National Computer Security Conference, Washington, D.C.,
1990

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 12 of 15
 30. Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L.
Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance,
Tim, Teal, Daniel M. and Mansur, Doug, "DIDS (Distributed Intrusion Detection System)
-- Motivation, Architecture, and An Early Prototype," The 14th National Computer
Security Conference, October, 1991, pages 167–176.

31. Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., "A Phased Approach
to Network Intrusion Detection," 14th National Computing Security Conference, 1991

32. Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time,"
Proceedings of The 7th USENIX Security Symposium, San Antonio, TX, 1998

33. Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance,

Correlation, Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New
Jersey, 1999, ISBN 0-9666700-7-8

34. Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr. Everett F. (Skip), Jr., Esler, Joel.,
Foster, James C., Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and IPS Toolkit,"
Syngress, 2007, ISBN 978-1-59749-099-3

35. Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, and Wu,
Ningning, "ADAM: Detecting Intrusions by Data Mining," Proceedings of the IEEE
Workshop on Information Assurance and Security, West Point, NY, June 5–6, 2001

36. Intrusion Detection Techniques for Mobile Wireless Networks, ACM WINET 2003
<http://www.cc.gatech.edu/~wenke/papers/winet03.pdf >

37. Viegas, E.; Santin, A. O.; Fran?a, A.; Jasinski, R.; Pedroni, V. A.; Oliveira, L. S.
(2017-01-01). "Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine
for Embedded Systems" . IEEE Transactions on Computers. 66 (1): 163–177.
doi:10.1109/TC.2016.2560839 . ISSN 0018-9340 .

38. França, A. L.; Jasinski, R.; Cemin, P.; Pedroni, V. A.; Santin, A. O. (2015-05-01).
"The energy cost of network security: A hardware vs. software comparison" . 2015
IEEE International Symposium on Circuits and Systems (ISCAS): 81–84.
doi:10.1109/ISCAS.2015.7168575 .

39. França, A. L. P. d; Jasinski, R. P.; Pedroni, V. A.; Santin, A. O. (2014-07-01).

"Moving Network Protection from Software to Hardware: An Energy Efficiency
Analysis" . 2014 IEEE Computer Society Annual Symposium on VLSI: 456–461.

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 13 of 15
 Analysis" . 2014 IEEE Computer Society Annual Symposium on VLSI: 456–461.
doi:10.1109/ISVLSI.2014.89 .

40. "Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for

Embedded Systems" (PDF). SecPLab.

This article incorporates public domain material from the National Institute of
Standards and Technology document "Guide to Intrusion Detection and Prevention
Systems, SP800-94" by Karen Scarfone, Peter Mell (retrieved on 1 January 2010).

Further reading

Bace, Rebecca Gurley (2000). Intrusion Detection. Indianapolis, IN: Macmillan

Technical. ISBN 1578701856.

Bezroukov, Nikolai (11 December 2008). "Architectural Issues of Intrusion Detection

Infrastructure in Large Enterprises (Revision 0.82)" . Softpanorama. Retrieved
30 July 2010.

P.M. Mafra and J.S. Fraga and A.O. Santin (2014). "Algorithms for a distributed IDS
in MANETs" . Journal of Computer and System Sciences. 80 (3): 554–570.
doi:10.1016/j.jcss.2013.06.011 .

Hansen, James V.; Benjamin Lowry, Paul; Meservy, Rayman; McDonald, Dan (2007).
"Genetic programming for prevention of cyberterrorism through dynamic and
evolving intrusion detection". Decision Support Systems (DSS). 43 (4): 1362–1374.
doi:10.1016/j.dss.2006.04.004 . SSRN 877981​ .

Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and
Prevention Systems (IDPS)" (PDF). Computer Security Resource Center. National
Institute of Standards and Technology (800-94). Retrieved 1 January 2010.

Saranya, J.; Padmavathi, G. (2015). "A Brief Study on Different Intrusions and
Machine Learning-based Anomaly Detection Methods in Wireless Sensor
Networks" (PDF). Avinashilingam Institute for Home Science and Higher Education
for Women (6(4)). Retrieved 4 April 2015.

Singh, Abhishek. "Evasions In Intrusion Prevention Detection Systems" . Virus

Bulletin. Retrieved 1 April 2010.

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 14 of 15
 External links

Intrusion Detection Systems at DMOZ

Common vulnerabilities and exposures (CVE) by product

NIST SP 800-83, Guide to Malware Incident Prevention and Handling

NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)

Study by Gartner "Magic Quadrant for Network Intrusion Prevention System

Appliances"

Last edited 11 days ago by Chris Caven

https://en.m.wikipedia.org/wiki/Intrusion_detection_system 28/11/2017, 1?00 PM

Page 15 of 15