Intrusion Detection Is an Art and a Science

Certain prerequisites are necessary to make an intrusion detection system worthwhile, including the following:
• Network administrators with intrusion detection experience.
• Network administrators with the spare time to monitor a network.
• A security philosophy that includes the willingness to integrate business processes with logging technologies.
• A network infrastructure that has been well designed and hardened.

Without these elements, the intrusion detection system will be an expensive system that won’t produce results. IDSs are powerful, but complicated. They can be used to catch hackers, but they need to be wielded by an experienced network administrator. However, when they are purchased by an organization that mistakenly thinks the system will create results automatically, they fail miserably.

Despite the way vendors often market intrusion detection systems, they are not automated solutions. Virus scanners are an example of an automated solution that isused to detect, prevent, and delete viruses. Virus scanners are able to accomplish this with some efficiency because they are programmed to chase other programs. All of the movements that viruses may make are predetermined patterns. The virus scanner is constantly updated to detect and delete the latest viruses. Without the updates, it would be helpless against the newest viruses whose actions cannot be predicted.

A real hacker may use some programs as tools to help get at what he or she wants, but ultimately the high-level hacking will be performed manually. This is why catching a hacker is an art as well as a science. Intrusion detection tools can be used to catch an intruder in action if they’re focused properly on the right things. Knowing where the intruder might be at a given time (how to focus) takes expertise.

*Introduction to Computer Security, Matt Bishop, 2004