with the Catalyst 6000 [7] switch series. These switches integrate the IDS functionality

directly into the switch itself. This provides real time intrusion detection and does not

affect the switch performance, as the IDS only looks at copies of the packets being

transferred. Furthermore the IDS module can be easily updated with the latest signatures.

Cisco also has the IDS 4210/4235/4250 line of network sensors that monitor traffic from

45Mbps to gigabit environments. They also have solutions for host sensors, router

sensors, and firewall sensors.

 Intrusion detection systems and sensors have traditionally been developed mainly

for UNIX systems. These days, due to the popularity of Windows, solutions are being

developed for these systems too. Apap et al. [2] propose one such IDS that protects a

Windows host. The algorithm proposed in this paper detects attacks on the host machine

by looking for anomalous accesses to the Windows registry. The algorithm first defines a

model of normal registry behavior on a Windows host, and then uses this model to detect

abnormal registry access.

 There have been some standardization efforts for intrusion detection event

reporting and rules. Eckmann [9] describes an implementation of a translator that

converts Snort rules to STATL scenarios. STATL is employed by NetSTAT [24] a

popular network based IDS.

 The limitation of an IDS is not in its ability to accurately detect misuse, but in its

ability to suppress false alarms. Patton et al. [18] describe an alarming vulnerability

which he calls "squealing." Squealing is a technique of false IDS excitation that will

render the IDS deaf to actual attacks. The hacker first attacks an IDS with a large number

of packets having well-known attack signatures. This will cause the IDS to report many