 We are now at the end of this lecture. In this lecture, we have learned the concept and assumption at the basis of intrusion detection, and now an NDS internally works. We then have learned that several aspects should be taken into consideration when designing or analyzing an IDS, for example how the detection engine works or what kind of data the IDS uses. We then have seen that traffic classification is a complex problem and it is safe to assume that we will incur situations in which telling apart malicious and benign traffic is actually not possible. This means that IDSes will make classification errors. We have seen how to quantify those and how we can evaluate the performance on IDS. Finally, we have reasoned about how IDS needs tuning to adapt to a different network traffic. We then have given a detailed example of a real IDS, the flow-based network IDS secure, which has been designed to identify hosts that have been compromised using SSH attacks. Secures perform detection not only in a flow-based fashion, but it also focuses on a detection of compromises, as opposed to just identifying that an attack is taking place. Secures shows the feasibility of flow-based intrusion detection, but it also points out that detailed domain knowledge is fundamental.