Editing Intrusion detection system (section)

== Limitations ==
* [[noise (signal processing)|Noise]] can severely limit an intrusion detection system's effectiveness. Bad packets generated from [[software bug]]s, corrupt [[DNS]] data, and local packets that escaped can create a significantly high false-alarm rate.<ref name="Anderson">{{cite book
 |last1 = Anderson
 |first1 = Ross
 |title = Security Engineering: A Guide to Building Dependable Distributed Systems
 |location = New York
 |publisher = [[John Wiley & Sons]]
 |year = 2001
 |pages = [https://archive.org/details/securityengineer00ande/page/387 387–388]
 |isbn = 978-0-471-38922-4
 |url = https://archive.org/details/securityengineer00ande/page/387
 }}</ref>
* It is not uncommon for the number of real attacks to be far below the number of [[False alarm|false-alarms]]. Number of real attacks is often so far below the number of false-alarms that the real attacks are often missed and ignored.<ref name="Anderson"/>{{Update inline|date=August 2017}}
* Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to newer strategies.<ref name="Anderson"/>
* For signature-based IDS, there will be lag between a new threat discovery and its signature being applied to the IDS. During this lag time, the IDS will be unable to identify the threat.<ref name="Whitman" />
* It cannot compensate for weak identification and [[authentication]] mechanisms or for weaknesses in [[network protocol]]s. When an attacker gains access due to weak authentication mechanisms then IDS cannot prevent the adversary from any malpractice.
* Encrypted packets are not processed by most intrusion detection devices. Therefore, the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
* Intrusion detection software provides information based on the [[network address]] that is associated with the IP packet that is sent into the network. This is beneficial if the network address contained in the IP packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled.
* Due to the nature of NIDS systems, and the need for them to analyse protocols as they are captured, NIDS systems can be susceptible to the same protocol-based attacks to which network hosts may be vulnerable. Invalid data and [[TCP/IP stack]] attacks may cause a NIDS to crash.<ref>{{Cite web |last=Schupp |first=Steve |date=1 December 2000 |title=Limitations of Network Intrusion Detection |url=https://www.giac.org/paper/gsec/235/limitations-network-intrusion-detection/100739 |access-date=17 December 2023 |website=Global Information Assurance Certification |format=PDF}}</ref>
*The security measures on cloud computing do not consider the variation of user's privacy needs.<ref name=":1">{{Cite journal|last1=Hawedi|first1=Mohamed|last2=Talhi|first2=Chamseddine|last3=Boucheneb|first3=Hanifa|date=2018-09-01|title=Multi-tenant intrusion detection system for public cloud (MTIDS)|url=http://dx.doi.org/10.1007/s11227-018-2572-6|journal=The Journal of Supercomputing|volume=74|issue=10|pages=5199–5230|doi=10.1007/s11227-018-2572-6|s2cid=52272540|issn=0920-8542|url-access=subscription}}</ref> They provide the same security mechanism for all users no matter if users are companies or an individual person.<ref name=":1" />