You use an IDS to monitor your network for signs of intrusive activity. An IDS triggers alarms when it detects intrusive activity. The triggering mechanism is probably based on one of the following two techniques:
- Anomaly detection
- Misuse detection
To implement its triggering mechanism, your IDS needs to monitor your network for intrusive activity at specific points in your network. The two common monitoring locations are as follows:
Because each of these characteristics has benefits and drawbacks, many intrusion detection systems are beginning to incorporate multiple characteristics into hybrid IDSs. These systems attempt to maximize the capability of the IDS while minimizing their drawbacks.