Intrusion detection (ID) is a type of security management system for computers and

networks. An ID system gathers and analyzes information from various areas within
a computer or a network to identify possible security breaches, which include both
intrusions (attacks from outside the organization) and misuse (attacks from within
the organization). (Continued)

FROM THE ESSENTIAL GUIDE:

Unified threat management devices: Understanding UTM and its vendors

GUIDE SECTIONS
UTM basics
UTM benefits
Technical specs
Finding the ideal vendor
UTM considerations
Purchasing a UTM
Definitions
+ Show More
Intrusion detection (ID) is a type of security management system for computers and
networks. An ID system gathers and analyzes information from various areas within
a computer or a network to identify possible security breaches, which include both
intrusions (attacks from outside the organization) and misuse (attacks from within
the organization). ID uses vulnerability assessment (sometimes refered to as
scanning), which is a technology developed to assess the security of a computer
system or network.
Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity

Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
ID systems are being developed in response to the increasing number of attacks on
major sites and networks, including those of the Pentagon, the White House, NATO,
and the U.S. Defense Department. The safeguarding of security is becoming
increasingly difficult, because the possible technologies of attack are becoming ever
more sophisticated; at the same time, less technical ability is required for the novice
attacker, because proven past methods are easily accessed through the Web.

Typically, an ID system follows a two-step process. The first procedures are hostbased and are considered the passive component, these include: inspection of the
system's configuration files to detect inadvisable settings; inspection of the
password files to detect inadvisable passwords; and inspection of other system
areas to detect policy violations. The second procedures are network-based and are
considered the active component: mechanisms are set in place to reenact known
methods of attack and to record system responses.

In 1998, ICSA.net, a leading security assurance organization, formed the Intrusion

Detection Systems Consortium (IDSC) as an open forum for ID product developers
with the aim disseminating information to the end user and developing industry
standards.