Problems (cont.)

• Operational failure mode: fail-open (NOT dependable)

• Hard to test - unknown quality metrics, and software testing is almost non-existent [Max98] [DS99]

• Subject to attack themselves [PN98]
  • insertion, evasion (subterfuge), denial-of-service (state-holding)

• Commercial interests are driving the market toward automated, knee-jerk intrusion response, based on flawed IDSs - somebody's going to get hurt!