ABSTRACT
IDSs for traditional networks function under the assumption that normal activity and intrusion activity have distinct behavior.2-4 Additionally, to implement an IDS, users and program activities must be observable, for example, via a system auditing mechanism,5 so that deviations from the norm can be recognized. Based on the type of audit data collected, an IDS can be classified as network-or host-based. Network-based IDS operate by passively or actively monitoring the network itself. Packets are collected from network traffic and analyzed to identify an intrusion. Network-based IDS often requires a dedicated host or special equipment, which makes them vulnerable to attack. Host-based IDS monitors activity on each individual node. Data is collected from the system’s audit trails, system and application logs, or audit data generated by a model that intercepts system calls.6
