Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analyzing them for signs of possible incidents that are violations or imminent
threats of violation of computer security policies, acceptable-use policies, or standard
security practices. Incidents have many causes, such as malware (e.g., worms, spyware),
attackers gaining unauthorized access to systems from the Internet, and authorized system
users who misuse their privileges or attempt to gain additional privileges for which they are
not authorized [28]. The most common detection technologies and their security functions on
the network are as follows:
• Packet sniffing and recording tools. These tools are used quite often by networking
teams to troubleshoot connectivity issues; however, they can be a security
professional’s best friend during investigations and root-cause analysis. When
properly deployed and maintained, a packet capture device on the network
allows security professionals to reconstruct data and reverse-engineer malware in
a way that is simply not possible without a full packet capture of the
communications.