Intrusion detection and analysis

The development of information technology has been accompanied by security problems. Initially, viruses spread slowly through the exchange of computer media. With the advent of the first TCP/IP networks, security problems diversified and led to the development of new security techniques.

Very early in the development of the Internet, vulnerabilities in operating systems enabled attackers to move virtually from system to system. In the military context of TCP/IP network deployment, the detection of malicious actions quickly became a necessity. Preventive measures proved insufficient, and led to the creation of intrusion detection systems (IDS).

These systems have been developed to detect abnormal operation of information systems and networks, indicating that actions are being taken by one or more users that do not comply with security policy. Two families of analysis techniques have been developed for this purpose. The first family of analysis techniques assumes that it is possible to differentiate the behavior of an attacker from the usual behavior of the information system under surveillance. The second family exploits accumulated knowledge of vulnerabilities and ways of penetrating information systems; when user actions resemble previously described attacks, the intrusion detection system transmits an alert.

These analysis techniques apply to different data sources, which must be acquired by the intrusion detection system (network listening or file reading, for example), and pre-processed to simplify analysis.

The main purpose of intrusion detection systems today is to provide operators with information on the health of the information system being monitored. However, as analysis techniques evolve and become more reliable, it may be possible in a few years' time to develop more sophisticated protection systems than those currently available. In particular, it should become possible to protect each service offered by an information system individually, without being tied to network access points, as is the case today with widespread firewall technology.