Describe the Intrusion Detection System. What is a Rule-based detection?

Ø inevitably will have security failures

Ø so need also to detect intrusions so can

l block if detected quickly

l act as deterrent

l collect info to improve security

Ø assume intruder will behave differently to a legitimate user

l but will have imperfect distinction between

rule

Ø observe events on system & apply rules to decide if activity is suspicious or not

Ø rule-based anomaly detection

l analyze historical audit records to identify usage patterns & auto-generate rules for them

l then observe current behavior & match against rules to see if conforms

l like statistical anomaly detection does not require prior knowledge of security flaws