Introduction to Intrusion Detection
Simply put, an intrusion is someone attempting to break into or misuse your system. How you define someone and break into or misuse is up to you. Let us assume that you know what you wouldn't like to see someone do on your system (for more information, see the section on security policy).
An intrusion detection system, or IDS for short, attempts to detect an intruder breaking into your system or a legitimate user misusing system resources. The IDS will run constantly on your system, working away in the background, and only notifying you when it detects something it considers suspicious or illegal. Whether you appreciate that notification depends on how well you've configured your intrusion detection system!
Note that there are two types of potential intruders:
So despite the fact that most security measures are put in place to protect the inside from a malevolent outside world, most intrusion attempts actually occur from within an organization. A mechanism is needed to detect both types of intrusions - a break-in attempt from the outside, or a knowledgeable insider attack. An effective intrusion detection system detects both types of attacks.