Despite all the advantages provided by intrusion detection systems, they are not a universal solution to all problems. Like any other security tool, intrusion detection systems have their own field of application and their own limitations. For example, the following problems are common for an IDS [Allen1-99]:
Improvement of hackers' skills and qualifications, growth in the number of available automated hacking tools and their variety (see Fig. 2.12)
Use of newer, more sophisticated penetration scenarios
Use of encryption functions for transmission of malicious information (for example, TFN2K)
Having to correlate data collected from the components of an IDS installed in a heterogeneous network combining Windows NT, Windows 2000, Linux, Solaris, HP UX, AIX, and other operating systems
An increase in the amount of network traffic that needs to be analyzed
Limited network visibility in networks with packet switching
Performance problems in high-speed networks that do not always allow you to detect attacks in real-time mode (and, consequently, react to them in time)
A lack of commonly adopted terminology in the field of intrusion detection
The dependence of intrusion detection systems on their manufacturers, which introduces additional difficulties when purchasing such systems and working with them, thus making them inefficient
The risk that is characteristic of manual response methods
Attacks on intrusion detection systems
A large number of false positives and false negatives
An insufficient number of criteria for evaluating and testing such systems