This chapter discusses the concept of Intrusion Detection System (IDS). IDSs can serve many purposes in a defense-in-depth architecture. IDSs are a weapon in the arsenal of system administrators, network administrators, and security professionals, allowing real-time reporting of suspicious and malicious system and network activity. In addition to identifying attacks and suspicious activity, IDS data can be used to identify security vulnerabilities and weaknesses. IDSs can audit and enforce security policy. For example, if a security policy prohibits the use of file-sharing applications such as Kazaa, Gnutella, or messaging services such as Internet Relay Chat (IRC) or Instant Messenger, an IDS can be configured to detect and report this breach of policy. IDSs are an invaluable source of evidence. Logs from an IDS can become an important part of computer forensics and incident-handling efforts. Detection systems are used to detect insider attacks by monitoring traffic from Trojans or malicious code and can be used as incident management tools to track an attack.