This chapter introduces you to two key items that security professionals should understand: intrusion detection and malware analysis. An intrusion detection system (IDS) acts like a security guard. Just as a security guard monitors the activities of humans, an IDS monitors the activity of a network. Unlike a security guard, an IDS does not fall asleep or call in sick. However, this does not mean that it is infallible. Any technical system has its limitations, and an IDS is no different.

This chapter also looks at the analysis of malware. With malware, it is not a question of if, but when you will be forced to deal with it. Even if you do not intend to be a full-time malware analyst, you should understand the basic techniques used to examine malware. You should also know what to do, and what not to do, when examining it.

If you have already built a security test lab, as described in Chapter 1, you can use it for malware analysis. This chapter begins with an overview of the development of intrusion detection and it’s integration of intrusion prevention.

An Overview of Intrusion Detection

An IDS can be used to inspect network and host activity, and to identify suspicious traffic and anomalies. Intrusion detection was really born in the 1980s, when James Anderson put forth the concept in a paper entitled “Computer Security Threat Monitoring and Surveillance.” A few years later, Dorothy Denning advanced the concept of IDS further ...