12.2. Intrusion Detection
Intrusion detection is the process of detecting unauthorized use of, or an attack upon, a computer or network. The requirements were originally formulated by Anderson [] and the first intrusion detection system was developed by Denning and Neuman [] at SRI. For detailed information on intrusion detection, the reader is referred to []; we will only introduce thereafter the most important concepts and the tools that are relevant for the remainder of the chapter. We will first present a quick overview of the origins of this area, and then present the detection mechanisms. We will then present security information management. Finally, the trend towards intrusion prevention will be presented with a taxonomy of reaction measures.
12.2.1. Origin and Concepts
Figure 12.1 describes the typical architecture of an intrusion detection system (IDS), according to the Intrusion Detection message exchange Working Group of the IETF [].
Activity about the monitored system is gathered from a data source and preprocessed into events. The analyzer then decides which of these events are security-relevant – according to the security policy set forth by the security administrator – and generate alerts accordingly. If the IDS has the capability to respond to the detected threat, it may apply the response immediately.
Intrusion detection provides two important functions in protecting information system assets: alerting [] and response.
The first function is that of a feedback ...
Get Cognitive Networks: Towards Self-Aware Networks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.