How to reduce false positives and false positives of IDS

At the beginning, hackers generally evade IDS monitoring by sharding IP packets. Many IDS systems do not have fragments.
Reorganization capability. Therefore, these IDS systems cannot identify attacks using the sharding technology. If your NIDS system cannot be broken
Slice restructuring. Please consider replacing your product or asking the product supplier to provide you with an upgraded version that can be reorganized.

Policy-based NIDS usually define the default port in the rule. Generally, it is assumed that the destination port is unique. For example
The trojan port is defined as the default port of the Trojan, and the communication port of most Trojans can be changed.
The NIDS system cannot identify this trojan attack. We believe that using the default port of the Trojan as a single matching rule is not allowed.
To reduce false positives and false positives.

Someone has proposed a new method to circumvent IDS and use protocol-specific vulnerabilities for attacks. For example
Back to the package, in order to save space, use the compression method to direct the pointer to the domain name, there is no need to use pressure in the DNS request package
But at least the Bind 8x version explains the compression flag in the request package. Construct a compression flag
The Bind 8x daemon will accept and process the attack packets, but the IDS system that uses pattern matching will not find the attack packets. Robert
Graham's demonstration shows that DNS, FTP, RPC, and other protocols have similar vulnerabilities. For IDS that adopt pattern matching
This Protocol Vulnerability cannot be identified. The solution is to use an IDS System Based on protocol analysis.
The collected data is analyzed and decoded before matching, or process-based IDS, such as NIDS of NFR companies, can be used to write
Test the N-code of this attack. Both methods will reduce performance, but it is difficult to achieve both.

Another topic is how to reduce the false negative rate and false positive rate of port scanning. The early method of IDS is to define
Segment. If the number of connections exceeds a reserved value in this period, it is considered as port scan. This approach
The disadvantage is that if the scan time exceeds the defined period, but the scan port is less than the number of reserved connections
This scan cannot be identified. The solution is to analyze the collected long-term data, so that some very slow scans
It cannot escape IDS monitoring. The above solutions are reflected in the "Skyeye" Intrusion Detection System 2.0 of CEN.