Understanding Intrusion Detection Systems (IDS) with Dr. Dorothy Denning

Defining Intrusion Detection Systems

• 💡 An Intrusion Detection System (IDS) is defined as a system that monitors for malicious or unwanted activity.
• 🎯 It either raises alerts when such activity is detected or blocks the traffic from reaching its target.

Historical Foundations of IDS

• 🧠 Dr. Dorothy Denning is highlighted as a pioneer in computer science and security, with research in the 1970s and 1980s laying foundations for cryptology, information warfare, and data security.
• 🔑 Denning invented lattice-based access controls (LBACs) in 1975 and, with Peter Noman in 1984, developed the first intrusion detection expert system (IDES).
• 📜 Her 1986 paper, "An Intrusion Detection Model," established the groundwork for the first commercial IDS tools.

Types and Evolution of IDS

• 💻 Host-based IDS are placed on a single system and monitor only that computer.
• 🌐 Network-based IDS inspect traffic across an entire network, historically existing as standalone hardware but now often integrated into modern firewalls as subscription services.
• 🔍 Modern IDS look for intrusions using known signatures or by detecting anomalies in traffic.

Challenges and Limitations of IDS

• ⚠️ A significant challenge is false positives, where the system incorrectly flags legitimate activity as malicious, leading to alert fatigue for analysts.
• 📉 Another critical issue is false negatives, where the system fails to detect actual malicious traffic in progress.

IDS in Practice and Related Concepts

• 🛠️ Intrusion detection systems can be configured as passive monitoring devices or inline monitoring systems for more control.
• 📈 Professor Messer's work is referenced for explaining IT and computer security concepts, including IDS and Intrusion Prevention Systems (IPS).
• 🚀 Both IDS and IPS are crucial components in security stacks, with IPS actively blocking traffic while IDS primarily alerts.