• Very effective in identifying intrusions with minimum false alarms (FA).|
• Promptly identifies the intrusions.
• Superior for detecting the known attacks.
• Simple design
• Needs to be updated frequently with a new signature.|
• SIDS is designed to detect attacks for known signatures. When a previous intrusion has been altered slightly to a new variant, then the system would be unable to identify this new deviation of the similar attack.
• Unable to detect the zero-day attack.
• Not suitable for detecting multi-step attacks.
• Little understanding of the insight of the attacks
• Could be used to detect new attacks.|
• Could be used to create intrusion signature
• AIDS cannot handle encrypted packets, so the attack can stay undetected and can present a threat.|
• High false positive alarms.
• Hard to build a normal profile for a very dynamic computer system.
• Unclassified alerts.
• Needs initial training.