An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS' initial design and function is to protect the organization's vital information from an outsider.

The IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.

Most IDS have been built on signature-base and anomaly detection, providing the capability to look for set "patterns" in packets, but they can also be tuned to look for things you should never see. The addition of specific string search signature (i.e. look for confidential), logging and TCP reset features has greatly enhance the IDS capability as a detection and protection tool.

New attack techniques are coming out each month and the IDS technology must adapt to these rapid changes. The list of all known attacks constantly changes rendering codifying the statistical "signature" of a new attack.

As part of the Total Defense Strategy of an organization, an Intrusion Detection System deployed with solid security architecture will protect and deter against:

• Script kiddies
• Hackers
• Would-be hackers
• Crackers
• Industrial espionage
• Elite Blackhat