Intrusion detection systems as evidence

Abstract Although the main aim of Intrusion Detection Systems (IDSs) is to detect intrusions to prompt evasive measures, a further aim can be to supply evidence in criminal and civil legal proceedings. However the features that make an ID product good at providing early warning may render it less useful as an evidence-acquisition tool. An explanation is provided of admissibility and weight, the two determinants in the legal acceptability of evidence. The problems the courts have in dealing with novel scientific evidence and the differences between `scientific' and `legal' proof are discussed. Criteria for the evaluation of IDSs as sources of legal evidence are proposed, including preservation of evidence, continuity of evidence and transparency of forensic method. It is suggested that the key to successful prosecution of complex intrusions is the finding of multiple independent streams of evidence which corroborate one another. The USAF Rome Labs intrusion of early 1994 is used as a case-study to show how defence experts and lawyers can undermine investigators’ evidence.