The IT Law Wiki
Don't have an account?
Register
Advertisement
Register
in: Security, Definition

Intrusion detection

Edit

Definitions[]

Intrusion detection is

the process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusion.[1]
[t]he process of identifying that an intrusion has been attempted, is occurring, or has occurred.[2]

Overview[]

There are two different approaches to analyzing events to detect attacks: signature-based detection and anomaly detection.

  • Signature-Based Detection. This approach identifies events or sets of events that match with a predefined pattern of events that describe a known attack. These patterns are called signatures. Signatures may include system states, or accessing system areas that have been explicitly identified as “off-limits.”
  • Anomaly Detection. Anomaly detection assumes that all intrusive activities deviate from the norm. These tools typically establish a normal activity profile and then maintain a current activity profile of a system. When the two profiles vary by statistically significant amounts, an intrusion attempt is assumed.

References[]

  1. NIST Special Publication 800-36, at 21.
  2. Report on the NS/EP Implications of Intrusion Detection Technology Research and Development, at 6.

Source[]

See also[]

Community content is available under CC-BY-SA unless otherwise noted.
Advertisement