The Role of Intrusion Detection Systems

Intrusion detection systems are an important component of defensive measures protecting computer systems and networks from abuse. This article considers the role of IDSs in an organization’s overall defensive posture and provides guidelines for IDS deployment, operation, and maintenance. A lthough intrusion detection technology is immature and should not be considered as a complete defense, we believe it can play a significant role in an overall security architecture. If an organization chooses to deploy an IDS, a range of commercial and public domain products are available that offer varying deployment costs and potential to be effective. Because any deployment will incur ongoing operation and maintenance costs, the organization should consider the full IDS life cycle before making its choice. When an IDS is properly deployed, it can provide warnings indicating that a system is under attack, even if the system is not vulnerable to the specific attack. These warnings can help users alter their installation’s defensive posture to increase resistance to attack. In addition, an IDS can serve to confirm secure configuration and operation of other security mechanisms such as firewalls. After describing the role an IDS might play in an organization, we survey the most commonly used intrusion detection techniques and discuss representative systems from the commercial, public, and research arenas. Intrusions and Intrusion Detection Intrusion detection has been an active field of research for about two decades, starting in 1980 with the publication of John Anderson’s Computer Security Threat Monitoring and Surveillance, 1 which was one of the earliest papers in the field. Dorothy Denning’s seminal paper, “An Intrusion Detection Model,” 2 published in 1987, provided a methodological framework that inspired many researchers and laid the groundwork for commercial products such as those we discuss in this article. Still, despite substantial research and commercial investments, ID technology is immature and its effectiveness is limited. 3 Within its limitations, it is useful as one portion of a defensive posture, but should not be relied upon as a sole means of protection. Many recent media reports point to the need for comprehensive protection of which ID is a crucial part. For example, Hackers attacked some of America’s most popular Web sites yesterday for the third day in a row, walling off frustrated consumers from companies that provide news and stock trading as law enforcement officials launched a nationwide criminal in

Free download research paper