IDS/IPS

The Challenge

IPS/IDS vendors are trying to provide higher quality security alerts by trying to reduce false positive alerts for IDS, and false negative alerts for IPS. The volume of alerts from IDS today is seen often as noise, making the inefficient. The false negative risk (risk of blocking good traffic) on IPS makes them hard to manage, and teams avoid applying stronger policy. Without metadata, IDS/IPS lacks context to the behavior of the user and the application.

How Qosmos Inside Solves the Problem

Integrating the Qosmos IxEngine library with an IDS can be used to add weights to existing IDS alerts, to give credibility to those events that fall into riskier categories. These weights are based on network metadata with attributes relating to the behavior of the user. (ie. browser type, URL length, referrer, cookies, connection time, protocol, protocol change)

The same attributes apply to IPS solutions inline, where tracking network metadata attributes weigh in one the decision to block traffic.

Benefits for IPS / IDS vendors

- Reduces the noise that IDS systems produce, by reducing the rules processed for each flow, and reducing false positives by 50%.
- Reduces the false negative rate of rules by 50% in IPS: enables customers to confidently use rules without concern of breaking their business.
- Ability to detect protocol changes in flow beyond first 5-10 MB.