Definition of Intrusion Detection. Intrusion detection is the ability to detect security breaches. Intrusion detection systems (IDSs) are useful in detecting successful breaches of the security systems present on a computer system, monitoring attempts to breach said security, and collecting information to allow the system to launch successful countermeasures. A successful countermeasure, within this context, is defined a set of actions taken by the system under attack to prevent the system from being compromised. We define a compromised system in this work as the opposite of a secure computer system, which is defined by Xxxxxxxxx and Xxxxxxxx as "a system that can be depended upon to behave as it is expected to" [GS 91]. A more formal definition of Intrusion Detection is "the problem of identifying individuals who are using, or attempting to use a computer system without authorization (i.e., crackers) and those who have legitimate access to the system but are abusing their privileges (i.e., the insider threat)” [BI 94, BA 98]. In the last decade, two models of Intrusion Detection have been widely accepted [DE 87]. These are anomaly detection and misuse detection. Anomaly detection consists of monitoring system behavioral statistics and flagging behavior that is statistically abnormal with respect to normal system operation. Some examples of anomalies are a sudden spike in CPU usage or a login at a time when the system is normally idle. Misuse detection attempts to discover attacks that exploit weaknesses in the security of a system. These weaknesses include buffer overflow attacks, holes in default system configurations such as unnecessarily open ports, and design flaws such as those in the TCP/IP protocol.
