I am a post-doc at Princeton. I am new to Bro/IDS systems and am pondering on fuure research ideas. I am thinking of researching Bro, Snort and other intrusion detection systems. I am a bit new to intrusion detection stuff. Do IDS systems in general have a parameter that can be used to tune security versus performance?
Intrusion detection systems easily observe millions of packets a second. Given this voluminous data, the performance per packet could have signicant impact on the performance of the network. Also, system administrators can easily get overwhelmed with the false positives even if the rate is small. Do intrusion detection systems have an .alert level that decides how aggressively to look for attacks. When in a heightened state of alert, cyber security managers could change the alert level so that the intrusion detection system tries to look more closely at packets to make a more informed decision.
Do IDS systems in general have a parameter that can be used to tune security
versus performance?
Not a single knob, but a whole suite of tuning possibilities. One large
instance is deciding which signatures (of perhaps thousands) and other
forms of analysis you want to turn on, and for what subset of the packet
stream.
Intrusion detection systems easily observe millions of packets a second.
I don't know about "easily". For example, UC Berkeley, which has about
50K hosts, averages less than a 10th of that across its border.
Given this voluminous data, the performance per packet could have signicant
impact on the performance of the network. Also, system administrators can
easily get overwhelmed with the false positives even if the rate is small.
Yep.
Do intrusion detection systems have an .alert level that decides how
aggressively to look for attacks. When in a heightened state of alert, cyber
security managers could change the alert level so that the intrusion
detection system tries to look more closely at packets to make a more
informed decision.
Does this idea of alert level make any sense?
Per the above, the space is much broader than a single alert level.
This makes tuning and adaptation quite complex.