Intrusion detection is the art of detecting unauthorized activity. In the computer world, it means detecting unauthorized connections, logons, and resource accesses, or attempts at the same. Intrusion detection is part of the reason why nearly every computer device has an event‐logging system. The two have been forever linked since James P. Anderson’s groundbreaking 1980 paper called “Computer Security Threat Monitoring and Surveillance” (
While computer systems have been good at generating lots of events, humans and their evaluating alert systems haven’t been so good at making sense of them. To most computer users, event log files are full of thousands of events that muddy up any chance for true maliciousness to be detected.
The best report on the gap between badness entering a system and being detected is captured in Verizon’s annual “Data Breach Investigations Report” (
http://www.verizonenterprise.com/verizon‐insights‐lab/dbir/). The 2016 report (
http://www.verizonenterprise.com/verizon‐insights‐lab/dbir/2016/) showed the following disturbing long‐term trends: