Re:Put your network on autopilot? (Score 1)

Conventional IDS/IPS products are mired in false positives because they attempt to enumerate attack traffic. You can't enumerate an infinite set. This is the negative model. The negative model is useful for detecting the attack that you know about but haven't completely patched for yet. This is a good place to deploy current IPS. To go beyond this, define the traffic that you DO expect to see, and derive attacks by what is left. This is the positive model. Real world detection systems never achieve good and actionable information until the positive model has been integrated into the negative model policy. That's why it takes so long to tune your IDS/IPS. The vendors who claim to give you a big red button to press haven't figured this out yet.