Abstract
Network Intrusion Detection Systems today are used to detect when the network
they are defending is being attacked from the outside. Consequently, IDSs primarily watch traffic coming into the protected network. This paper reverses this paradigm and explores the implications of monitoring traffic that is leaving the network; thus detecting when the protected network is being used to launch or relay attacks. While the infrastructure and mechanics of this type of monitoring are similar to those used in existing intrusion detection techniques, there are a number of benefits and advantages. The benefits include increasing the overall safety of the network, policy enforcement, and limiting liability. Outbound monitoring also has an advantage in that certain attacks can be detected that are otherwise undetectable when entering the targeted network. Further, there is also greater reactive power, both manual and automated, to a detected attack. This paper examines these issues and others to conclude that outbound misuse detection should be a fundamental component of a network security infrastructure.