Chapter 8: Network Intrusion Detection and Alert Classification
Learning Objectives
Map security events to their source technologies: IDS/IPS, firewalls, proxies, antivirus, and NetFlow
Classify alerts as true positives, false positives, true negatives, false negatives, and benign events
Compare deep packet inspection with packet filtering and stateful firewall operation
Differentiate inline traffic interrogation from TAPs and traffic mirroring architectures
Section 1: Event Source Mapping
A security event is any observable occurrence on a network or system that may have security implications. Before an analyst can investigate anything, they must understand which technology produced the alert — because the data format, fidelity, and meaning differ significantly between sources.
1.1 The Five Primary Event Sources
Source Technology
What It Monitors
Typical Event Data
IDS/IPS
Network traffic patterns and signatures
Timestamp, src/dst IP, port, protocol, signature ID, severity, rule name
NetFlow tells you that 50 GB left the network overnight to an unfamiliar IP — but not what those bytes contained. An IDS alert fires on a signature match, but only DPI confirms what was in the payload. True situational awareness requires correlating events across all five sources in a SIEM.
1.2 IDS vs. IPS Event Generation
An IDS operates in passive mode — it monitors a copy of network traffic and generates alerts when it detects patterns matching known attack signatures or statistical anomalies. It takes no blocking action. An IPS operates inline — traffic passes through the device, and it can drop, reset, or quarantine packets in real time.
Detection methods used by IDS/IPS:
Signature-based detection: Matches traffic against a library of known attack patterns. Fast and precise for known threats, but blind to zero-day attacks.
Anomaly/behavior-based detection: Establishes a baseline of normal traffic and alerts on statistical deviations. Catches novel attacks but generates more false positives.
1.3 Proxy, Antivirus, and NetFlow Correlation
When an IDS fires an alert for a suspicious outbound connection, the proxy log reveals whether a user manually visited a malicious site or whether the connection was automated (possible C2 beaconing). AV/EDR events link network activity to endpoint behavior — a NetFlow anomaly showing data exfiltration gains much more meaning when correlated with an AV event showing a ransomware dropper executed 10 minutes earlier.
NetFlow records who talked to whom, when, for how long, and how much data transferred — without capturing payload content. It is invaluable for baselining normal traffic patterns and detecting anomalies at scale.
Key Points — Event Source Mapping
Five primary sources feed the SIEM: IDS/IPS, Firewall/NGFW, Proxy, AV/EDR, and NetFlow — each captures a different dimension of network activity.
IDS is passive (alert only); IPS is inline (can block). Signature-based detection excels on known threats; anomaly detection catches zero-days at the cost of higher false positives.
NetFlow provides long-term behavioral baselines but has no payload visibility; proxy logs add URL-layer context; AV/EDR ties network events to endpoint behavior.
No single source provides complete visibility — SIEM correlation across all five is required for accurate threat determination.
NGFW logs include application-layer context that traditional firewall logs lack — a port 443 connection identified as BitTorrent is only possible with NGFW.
Pre-Check: Event Source Mapping
1. Which event source captures flow metadata (src/dst IP, ports, byte counts) but does NOT capture payload content?
2. An IDS sensor detects a suspicious outbound connection from host 10.1.5.22. Which complementary source would best reveal whether the connection was user-initiated browsing or automated C2 beaconing?
3. A Next-Generation Firewall (NGFW) log shows that permitted traffic on port 443 is actually a BitTorrent client. Which NGFW capability enables this identification?
Section 2: Alert Classification and Triage
2.1 The Four-Category Classification Model
Classification
Real-World Situation
Alert Fired?
Threat Real?
Analyst Action
True Positive (TP)
Port scan from external attacker
Yes
Yes
Investigate and respond
False Positive (FP)
Vulnerability scanner triggers IDS rules
Yes
No
Tune rule or whitelist scanner
True Negative (TN)
Normal HTTPS web browsing passes silently
No
No
No action needed
False Negative (FN)
Zero-day exploit bypasses all signatures
No
Yes
Most dangerous — missed threat
False Positives are the bane of SOC operations. An IDS that fires constantly on legitimate traffic trains analysts to ignore alerts — the security equivalent of the boy who cried wolf. False Negatives represent the most dangerous failure mode: a missed real threat may result in an undetected breach.
2.2 SOC Extended Classification: Benign and Suspicious
Benign / True Positive: Alert fires on real activity that is expected and authorized (e.g., a scheduled vulnerability scan). No incident response required — rule should be tuned or whitelisted.
Suspicious / Undetermined: Alert fires on activity that cannot immediately be classified. The analyst must gather more context — check proxy logs, query the SIEM, contact the asset owner.
Verify the source asset: 10.1.5.22 is a Windows workstation in finance, assigned to user jsmith.
Check NetFlow: 47 connections to 198.51.100.5 in 6 hours, each lasting exactly 60 seconds with 512 bytes outbound — characteristic C2 beaconing regularity.
Check proxy logs: Connections not recorded in proxy — traffic bypasses it (possible malware using direct IP communication).
Check antivirus: No AV alert, but logs show suspicious PowerShell execution 8 hours ago.
MITRE ATT&CK mapping: Aligns with T1071.001 (Application Layer Protocol: Web Protocols) and T1071 (C2).
Classification: True Positive — Initiate incident response, isolate the host.
2.4 Alert Fatigue and Prioritization
Effective prioritization strategies:
Severity scoring: Weight by asset criticality — a medium alert on a domain controller outweighs a high alert on an isolated test machine.
MITRE ATT&CK alignment: Escalate alerts mapping to high-impact techniques (lateral movement, credential dumping) over reconnaissance noise.
IOC validation: Cross-reference IPs, domains, and hashes against threat intelligence feeds (VirusTotal, MISP).
Baseline-relative analysis: An alert on a server that has never made outbound connections at 2 AM carries far more weight than on one that routinely does.
Rule tuning: Continuously refine IDS/IPS rules to reduce known false positive sources. An untuned IDS is worse than no IDS.
Key Points — Alert Classification and Triage
Four alert classifications: TP (real threat, alert fires), FP (benign, alert fires), TN (benign, no alert), FN (real threat, no alert).
False negatives are the most dangerous — missed real threats may lead to undetected breaches. They motivate behavioral analytics and threat intelligence integration.
False positives drive alert fatigue: analysts overwhelmed by noise begin ignoring everything, including genuine incidents.
SOC triage extends the model with "Benign" (authorized activity that legitimately fires rules) and "Suspicious" (undetermined — requires investigation).
Effective triage always uses multi-source correlation: an IDS alert is only the starting point, not the conclusion.
Pre-Check: Alert Classification
4. A vulnerability scanner run by the IT security team triggers 50 IDS alerts. The team confirms this is their authorized scan. How should these alerts be classified?
5. Which failure mode is MOST dangerous from a security operations perspective?
6. An analyst receives an IDS alert about a host making 47 identical 512-byte outbound connections to the same IP over 6 hours, each exactly 60 seconds apart. This regular timing pattern is most characteristic of:
Section 3: Deep Packet Inspection and Firewall Comparison
Firewall technology has evolved through three distinct generations, each increasing visibility into network traffic at the cost of additional processing overhead. Modern networks deploy all three simultaneously — each protecting different layers.
3.1 Generation 1: Packet Filtering (Stateless)
Packet filtering firewalls operate at OSI Layers 3 and 4. They examine each packet in complete isolation — no memory of previous packets, no concept of a TCP session, no awareness of what follows in the data stream.
Can do: Block specific source IPs, deny specific destination ports (e.g., block port 23 Telnet inbound), permit only specific protocols, implement basic router ACLs.
Cannot do: Distinguish a TCP SYN flood from legitimate connection establishment, block TCP session hijacking, detect malware inside permitted HTTP traffic, identify apps using non-standard ports.
3.2 Generation 2: Stateful Inspection
Stateful inspection maintains a state table — a database of active network connections tracking each session's five-tuple (src IP, dst IP, src port, dst port, protocol) and current TCP state.
State Table Entry:
Protocol: TCP
Src IP:Port 192.168.1.100:54321
Dst IP:Port 93.184.216.34:443
State: ESTABLISHED
TTL: 300s
Bytes: 14,832
A forged packet claiming to be part of this session is dropped if its sequence numbers don't match the state table. Limitation: Still cannot see inside the payload — an ESTABLISHED HTTPS session could be carrying malware.
3.3 Generation 3: Deep Packet Inspection (DPI)
DPI examines the complete contents of a packet, including its payload. DPI can reconstruct application-layer protocols, identify the actual application regardless of port number, and scan for content patterns.
Application identification: Detect BitTorrent traffic even if it runs on port 443.
Malware detection: Scan file downloads for known signatures.
Protocol validation: Detect HTTP traffic that doesn't follow RFC specifications — a common C2 indicator.
TLS inspection: Decrypt and inspect TLS traffic using a man-in-the-middle CA certificate.
3.4 Comprehensive Comparison
Feature
Packet Filtering
Stateful Inspection
DPI
NGFW
Inspection depth
Headers only
Headers + session state
Headers + payload
Headers + state + payload + app identity
Session awareness
No
Yes
Yes
Yes
Application identification
No
No
Partial
Yes
Malware detection
No
No
Yes
Yes (with sandboxing)
TLS inspection
No
No
Optional
Yes
Performance impact
Minimal
Low–Medium
High
Very High
Typical use case
Router ACLs
Perimeter firewall
NGFW component
Enterprise perimeter
Key Points — Firewall Comparison
Packet filtering: inspects IP headers and ports only, no session memory — fastest but blind to session-based attacks and payload threats.
Stateful inspection: adds a state table tracking TCP connection phases — blocks session hijacking and spoofed packets but still cannot see payload content.
Deep Packet Inspection (DPI): examines the full payload — enables application identification, malware detection, and protocol validation at high processing cost.
NGFWs combine all three layers plus threat intelligence, user identity, and sandboxing — the modern enterprise standard but with the highest performance overhead.
TLS inspection is DPI's key challenge: without a trusted CA certificate performing man-in-the-middle decryption, HTTPS payload remains opaque even to DPI.
Pre-Check: Firewall Comparison
7. A traditional stateful inspection firewall logs an ESTABLISHED TCP session on port 443. Unknown to the firewall, the payload contains a malware C2 channel. Which statement is most accurate?
8. Which firewall generation can identify that traffic on port 443 is actually BitTorrent rather than HTTPS?
9. An organization uses a packet filtering firewall. An attacker sends a TCP packet with ACK+PSH flags set, spoofing an established session. What is the most likely outcome?
Section 4: Traffic Monitoring Architectures
4.1 Inline vs. Out-of-Band
How a security tool receives network traffic is as important as what it does with it:
Inline (in-band): Traffic flows through the monitoring device. The device can inspect and block traffic. Required for IPS, NGFW, and WAF operation. Introduces latency and a single point of failure.
Out-of-band (passive): The monitoring device receives a copy of traffic. Can inspect but not block. Used for IDS sensors, network forensics tools, and flow collectors. Zero production impact.
4.2 Network TAPs: Passive Hardware Capture
A Network TAP (Test Access Point) is a passive hardware device inserted between two network devices. It creates a physical copy of all traffic flowing across the link without touching the original traffic path.
TAP Characteristic
Detail
No IP address
A passive TAP has no network identity and cannot be targeted or compromised
Zero latency impact
Only physical signal splitting — no processing overhead
No packet loss
Guaranteed full-fidelity capture at line rates from 1G to 400G
Forensic admissibility
TAP-captured traffic is forensically sound and legally admissible; SPAN data is not
Bidirectional capture
Captures both directions of a full-duplex link as separate or merged streams
TAP types: Passive optical TAP (fiber), Active regeneration TAP (multiple tools), Bypass TAP (maintains connectivity if inline tool fails), Data Diode TAP (enforces unidirectional flow in OT/ICS environments).
4.3 SPAN Ports: Software Traffic Mirroring
A SPAN port (Switched Port Analyzer) copies traffic from source ports or VLANs to a designated monitoring port — configured entirely in software on the switch.
SPAN Limitation
Technical Detail
Packet loss under load
Switches prioritize production traffic — mirrored packets dropped first during congestion
Corrupt packet discarding
SPAN silently drops corrupt/malformed frames, making forensic analysis impossible
Duplicate packets
Monitoring both ingress and egress on same interface generates duplicates causing false IDS alerts
Not forensically sound
SPAN data is legally inadmissible due to potential incompleteness
Match the tool to the threat model: IPS inline at the perimeter for active blocking; TAP-fed IDS internally for threat hunting without risking production impact.
Defense in depth for monitoring: Deploy both inline and out-of-band tools. An inline NGFW blocks known threats; a TAP-fed IDS captures everything for forensic analysis and catches what the NGFW misses.
Place TAPs strategically: Perimeter uplinks, data center access segments, server-to-server East-West paths, and any link carrying regulated data (PCI, HIPAA).
Aggregate with a visibility fabric: A Network Packet Broker (NPB) aggregates traffic from multiple TAPs/SPANs, filters and load-balances it across multiple security tools.
Plan for failure modes: Bypass TAPs ensure that if an inline IPS appliance fails, traffic continues to flow — trading temporary security coverage for availability.
Healthcare Example: A hospital using SPAN to monitor EHR traffic finds that during peak morning shifts, the switch drops mirrored packets. A lateral movement attack exfiltrates 12 hours of patient records, and the SPAN data is inadmissible as evidence. A $2,000–$5,000 passive TAP would have provided complete, forensically admissible capture at full line rate — a compliance requirement under HIPAA.
Key Points — Traffic Monitoring Architectures
Inline deployment (IPS/NGFW) enables real-time blocking but adds latency and creates a single point of failure — if the device fails, traffic may be blocked entirely.
Out-of-band deployment (TAP or SPAN) receives a copy of traffic — provides zero production impact but cannot block threats in real time.
Network TAPs provide guaranteed, forensically admissible, zero-impact capture; SPAN ports are lower-cost but drop packets under congestion and are not legally admissible.
Full packet capture (TAP) and NetFlow are complementary: TAPs provide deep forensic fidelity for short windows; NetFlow provides long-term behavioral baselines across the full network.
Best-practice architectures deploy both: inline tools (prevention) and TAP-fed tools (detection and forensics) — defense in depth for monitoring.
Post-Check: Traffic Monitoring Architectures
10. A healthcare organization needs to deploy an IDS to monitor EHR server traffic. The traffic link carries PHI subject to HIPAA. Which monitoring approach is most appropriate?
11. Which statement correctly describes a key limitation of SPAN port monitoring compared to a network TAP?
12. An IPS appliance is deployed inline. During a hardware failure, the device loses power. What device ensures that network traffic continues to flow despite this failure?
13. A SOC analyst wants to detect C2 beaconing patterns occurring over months. The organization cannot store full packet captures beyond 72 hours due to cost. Which complementary technology provides the long-term visibility needed?
14. Which IDS/IPS detection method is most likely to catch a previously unknown zero-day exploit that has no known signature?
15. In a properly designed SOC, which combination of monitoring architectures provides both real-time blocking capability AND forensically sound packet capture for post-incident investigation?