Abstract
Intrusion detection is a new, retrofit approach for providing a sense of security in
existing computers and data networks, while allowing them to operate in their current
"open" mode. The goal of intrusion detection is to identify, preferably in real time,
unauthorized use, misuse, and abuse of computer systems by both system insiders and
external penetrators. The intrusion detection problem is becoming a challenging
task due to the proliferation of heterogeneous computer networks since the increased
connectivity of computer systems gives greater access to outsiders and makes it easier
for intruders to avoid identification. Intrusion detection systems (IDSs) are based
on the beliefs that an intruder's behavior will be noticeably different from that of
a legitimate user and that many unauthorized actions are detectable. Typically, IDSs
employ statistical anomaly and rule-based misuse models in order to detect intrusions.
A number of prototype IDSs have been developed at several institutions, and some of them
have also been deployed on an experimental basis in operational systems. In this paper,
several host-based and network-based are surveyed, and the characteristics of the
corresponding systems employ the host operating system's audit trails as the main source
of input to detect intrusive activity, while most of the network-based IDSs build their
detection mechanism on monitored network traffic, and some employ host audit trails
as well. An outline of a statistical anomaly detection algorithm employed in a typical
IDS is also included.