Blog post

NTA: The Other IDS?

By Anton Chuvakin | September 20, 2018 | 5 Comments


Have you ever wondered why academic literature – however silly much of infosec academic research is – always talks about “signature-based IDS” (“misuse”) and “anomaly-based IDS” (“abuse”), but most industry people instantly assume that “IDS = signature-based IDS”? Is this because anomaly-based IDS never worked well in the real world … or for some other reason?

Now, some of you may sneer and utter something like this: “Anton, the 1990s are over, why are you talking about IDS?” Well, 2000s are over as well and with them, that embarrassing “IDS is dead” story…

In fact, we all know that “IDS is dead” is fake news. Detection is still rising to its proper place at the head of the table, next to Prevention. It is also dragging their third buddy, Response, with it.

So, why are we looking in this direction? Because of our planned research of NTA.

Now, WTH is NTA? This Gartner term (NTA for “Network Traffic Analysis”) is essentially our view of the evolution of NBA or NBAD of the olde times. IMHO, NTA was born to separate the old, mostly flow-based (layer-3) technology from the modern layer-7 based tech (see this BTW) that analyzes network activities for security purposes. And because NBAD does sound like the 1990s band name (“punish me … I’ve been so NBAD!!!”)…

But can somebody please explain to me why NBA then and NTA now is not just another kind of network intrusion detection system?

Hey… look at our 2018 “Magic Quadrant for Intrusion Detection and Prevention Systems”, for example. There are some players there who are in fact NTA [and will appear in the upcoming NTA Market Guide] and who predominantly use machine learning and other anomaly detection techniques, not signatures.

As context, some arguments I’ve heard include: IDS is a perimeter tech (while NTA is not), NTA does not detect intrusions per se, but mostly post-intrusion activity (but so can IDS?), “IDS is dead”, or IDS does not detect unknown threats.

So… any thoughts?

Related posts:

Comments are closed


  • One thing that I gets lost in the shuffle is that NTA becomes synonymous with just “ML/AI” based behavioral analytics. Rule based detection IMHO is not a bad thing and can often be a far quicker and efficient way to detect the “known unknowns” than trying to learn that. Would you agree?

  • Sandi Meyer says:

    I agree that a balanced approach is important. NTA should take lessons learned from IDS technologies, traditionally rule based and effective at detecting known threats but riddled with a high number of both false positives and negatives. While [Unsupervised] ML based detection methods may detect unknown or anomalous threats, but are prone to a high false positive rate.

    In order for the two to be balanced and achieve what NTA should be, both rule and ML based methods need to be honed and curated. This cannot be achieved without a human element. Detections should be built from rule-based methods and correlations across flows combined with threat intelligence feeds that are curated by security researchers and further enhanced with outputs of (supervised) machine learning methods. This will produce the highest fidelity detection methods, IMHO.

    • Thanks for the comment. Indeed, decoupling NIDS, NTA and NFT is becoming much harder and many vendors claim “rules and algorithms” as well as “good data capture.”

      Also, I agree that rules/signatures will never fully die…