Detecting System Intrusions

Detecting system intrusions is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. The detection of system intrusions (DSIs) is primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use the DSIs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. The DSIs have become a necessary addition to the security infrastructure of nearly every organization. In addition, the DSIs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many of the DSIs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the DSIs stopping the attack itself, changing the security environment (reconfiguring a firewall), or changing the attack’s content. This chapter describes the characteristics of the DSI technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them.