Introduction to Intrusion Detection

Simply put, an intrusion is someone attempting to break into or misuse your system. How you define someone and break into or misuse is up to you. Let us assume that you know what you wouldn't like to see someone do on your system (for more information, see the section on security policy).

An intrusion detection system, or IDS for short, attempts to detect an intruder breaking into your system or a legitimate user misusing system resources. The IDS will run constantly on your system, working away in the background, and only notifying you when it detects something it considers suspicious or illegal. Whether you appreciate that notification depends on how well you've configured your intrusion detection system!

Note that there are two types of potential intruders:

Outside Intruders

Most people perceive the outside world to be the largest threat to their security. The media scare over "hackers" coming in over the Internet has only heightened this perception.

Inside Intruders

FBI studies have revealed that 80% of intrusions and attacks come from within organizations. Think about it - an insider knows the layout of your system, where the valuable data is and what security precautions are in place.

So despite the fact that most security measures are put in place to protect the inside from a malevolent outside world, most intrusion attempts actually occur from within an organization. A mechanism is needed to detect both types of intrusions - a break-in attempt from the outside, or a knowledgeable insider attack. An effective intrusion detection system detects both types of attacks.

Start

Security Policy