Gartner Blog Network


NTA: The Other IDS?

by Anton Chuvakin  |  September 20, 2018  |  8 Comments

Have you ever wondered why academic literature – however silly much of infosec academic research is – always talks about “signature-based IDS” (“misuse”) and “anomaly-based IDS” (“abuse”), but most industry people instantly assume that “IDS = signature-based IDS”? Is this because anomaly-based IDS never worked well in the real world … or for some other reason?

Now, some of you may sneer and utter something like this: “Anton, the 1990s are over, why are you talking about IDS?” Well, 2000s are over as well and with them, that embarrassing “IDS is dead” story…

In fact, we all know that “IDS is dead” is fake news. Detection is still rising to its proper place at the head of the table, next to Prevention. It is also dragging their third buddy, Response, with it.

So, why are we looking in this direction? Because of our planned research of NTA.

Now, WTH is NTA? This Gartner term (NTA for “Network Traffic Analysis”) is essentially our view of the evolution of NBA or NBAD of the olde times. IMHO, NTA was born to separate the old, mostly flow-based (layer-3) technology from the modern layer-7 based tech (see this BTW) that analyzes network activities for security purposes. And because NBAD does sound like the 1990s band name (“punish me … I’ve been so NBAD!!!”)…

But can somebody please explain to me why NBA then and NTA now is not just another kind of network intrusion detection system?

Hey… look at our 2018 “Magic Quadrant for Intrusion Detection and Prevention Systems”, for example. There are some players there who are in fact NTA [and will appear in the upcoming NTA Market Guide] and who predominantly use machine learning and other anomaly detection techniques, not signatures.

As context, some arguments I’ve heard include: IDS is a perimeter tech (while NTA is not), NTA does not detect intrusions per se, but mostly post-intrusion activity (but so can IDS?), “IDS is dead”, or IDS does not detect unknown threats.

So… any thoughts?

Related posts:

Category: analytics  network  nta  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on NTA: The Other IDS?


  1. One thing that I gets lost in the shuffle is that NTA becomes synonymous with just “ML/AI” based behavioral analytics. Rule based detection IMHO is not a bad thing and can often be a far quicker and efficient way to detect the “known unknowns” than trying to learn that. Would you agree?

  2. […] today we have NIDS (detection that is assumed to be signature-based), NTA (detection by learning and baselining, and praying to AI gods). We also have not-quite-accepted […]

  3. Sandi Meyer says:

    I agree that a balanced approach is important. NTA should take lessons learned from IDS technologies, traditionally rule based and effective at detecting known threats but riddled with a high number of both false positives and negatives. While [Unsupervised] ML based detection methods may detect unknown or anomalous threats, but are prone to a high false positive rate.

    In order for the two to be balanced and achieve what NTA should be, both rule and ML based methods need to be honed and curated. This cannot be achieved without a human element. Detections should be built from rule-based methods and correlations across flows combined with threat intelligence feeds that are curated by security researchers and further enhanced with outputs of (supervised) machine learning methods. This will produce the highest fidelity detection methods, IMHO.

    • Thanks for the comment. Indeed, decoupling NIDS, NTA and NFT is becoming much harder and many vendors claim “rules and algorithms” as well as “good data capture.”

      Also, I agree that rules/signatures will never fully die…

  4. […] I allude here, my long-held impression is that no true anomaly-based network IDS (NIDS) has ever been successful […]

  5. […] those enlightened debates about log analysis (via SIEM/UEBA), network security monitoring (via NTA or, if you’d like, NDR), endpoint detection (via EDR) and overall about SOC. Even threat hunting […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.