numerous ICMP packets have arrived

numerous ICMP packets have arrived within a small time interval; application-specific bufferoverflow attacks to obtain root privilege, such as  subverting an FTP server by a long "MKDIR" command, may require buffering and reassembling several packets before seeing the whole FTP command. A network-based IDS can detect such attacks by matching a sub-string, for example, the "phf" in " GET/cgi-bin/phf?," to identify those network packets as vehicles of a web server attack. When such kinds of potential hostile activities are detected, IDS will alert system administrators and may block the activity. The above examples describe the basic functions of a network based IDS.  In fact, the IDS model can be host-based IDS (HIDS) or network-based IDS (NIDS). HIDS is installed at a host to periodically monitor specific system logs for patterns of intrusions. In contrast, an NIDS sniffs the traffic to analyze suspicious behaviors. A  signature-based  NIDS (SNIDS) examines the traffic for patterns of known  intrusions. SNIDS can quickly and reliably diagnose the attacking techniques and security holes without generating an over-whelming number of false alarms because SNIDS relies on known signatures. However,  anomaly-based NIDS (ANIDS) detects unusual behaviors based on statistical methods. ANIDS could detect symptoms of attacks without specific knowledge of details. However, if the training data of the normal traffic are inadequate, ANIDS may generate a large number of false alarms.