Databases Reference
In-Depth Information
in order to safeguard against possible damage to vital information resources.
One of the major challenges in building IDS is its ability to report suspicious
and malicious network activities in real-time.
In a much cited survey on IDS, Axelsson
1
depicts a generalized model
of a typical intrusion detection system as shown in Fig. 6.1, where the solid
arrows indicate data/control flow and the dotted arrows indicate a response
to intrusive activity. According to Axelsson, the generic architectural model
of an intrusion detection system contains the following modules:
Audit data collection:
This module is used during the data collection
phase. The data collected in this phase is analyzed by the intrusion
detection algorithm to find traces of suspicious activity. The source of the
data can be host/network activity logs, command based logs, application
based logs, etc.
Security Officers Response to
Intrusions
Entity
Security
Authority
Monitored
Entity
Reference
Data
Configuration
Data
Audit
Collection
Storage Data
Analysis and
Detection
Alarm
Active/Processing
Data
Active Intrusion Response
Fig. 6.1.
Organization of a generalized intrusion detection system.
