CS 4235 Spring 2006
12 April 2006
When attempting to secure a network, there is no magic bullet. No one product or
piece of software can even begin to solve all network security related problems.
Administrators must take a holistic approach to network security, implementing separate
controls for the separate vulnerabilities in their networks. They must educate users to
prevent them from compromising the network, install anti-virus software to identify and
remove malicious code from the network’s systems, and put up firewalls to block
malicious outsiders from entering the network.
Intrusion detection fits into its own niche within network security. Of the three
major areas of security: prevention, detection, and response, intrusion detection assists
network administrators with detection (“Computer”). One of the most frightening
realities that a network administrator deals with is that, in many cases, he may not even
be aware that his network is being attacked (especially if the attacks are unsuccessful,
resulting in no symptoms). Given an infinite number of attempted attacks, at least one
will eventually succeed. Thus, intrusion detection is necessary to discover these
attempts, hopefully before they become an issue.
This research paper will discuss three main areas of intrusion detection. First, it
will define intrusion detection, provide relevant background information on the subject,
and introduce the various categories of intrusion detection systems. Next, it will discuss
the historical circumstances which led to the development and evolution of intrusion
detection. Finally, it will compare and contrast the intrusion detection products available
in the market today, allowing the reader to find a system that they might use to protect
their own network.
In information security, we aim to preserve the confidentiality, integrity, and
availability of information systems. In the most general sense, intrusion detection can be
defined as “the act of detecting actions that attempt to compromise the confidentiality,
integrity, and availability of a resource (“Intrusion Detection”)”. There are two ways in
which intrusion detection can be performed, and both deal with the review of audit logs
of information system activity. It can be performed manually, which involves a person
examining the audit logs or perhaps other evidence for signs of an intrusion, or it can be
performed by a system that automatically reviews audit logs. Such a system is called an
intrusion detection system (IDS) (“Intrusion Detection”).
Modern networks employ IDSs in order to detect unwanted manipulations to
systems, ranging from attacks made by “script kiddies” with automated tools to those
made by skilled, malicious hackers (“Intrusion-detection system”). These attacks may
include network based attacks against vulnerable services, data driven attacks on
applications, malicious code attacks (viruses, Trojan horses, or worms), and various host
based attacks (privilege escalation, accessing sensitive files, or unauthorized logins)
(“Intrusion-detection system”). IDSs are necessary to detect those types of malicious
network traffic and computer usage attacks that cannot be detected by traditional
firewalls (“Intrusion-detection system”). Whereas firewalls limit the access between
networks in order to prevent intrusions without ever signaling that at attack occurred,
IDSs evaluate suspected intrusions once they have occurred and then signal an alarm
(“Intrusion-detection system”). Firewalls also fall short in that they do not deal with
attacks that originate from within their own network (“Intrusion-detection system”).
Typically, an IDS has three main components: sensors, a console, and a central engine
(“Intrusion-detection system”). Sensors generate security events, the console controls the
sensors and monitors events and alerts, and the central engine records the events
generated by the sensors and determines if an alarm should be triggered (“Intrusion-
There are two main locations in which an IDS can operate; it can either be host-
based or network-based (“Intrusion Detection”). A host-based IDS resides on a single
system, usually in the form of a software agent, trying to detect malicious activity that
may be occurring on the system on which it is installed (“Intrusion-detection systems”).
This agent does so by analyzing virus scanners, system activity, and system logs (system
calls, application logs, or file modifications) for evidence of possibly illegitimate activity
(“Host-based”). A host-based IDS focuses its efforts on the internals of a system, rather
than on the external interfaces of a system as a network-based IDS would do (“Host-
A network-based IDS, by contrast, is an independent system, usually connected to
a hub or switch, which examines network traffic in order to identify possible intrusions
(“Intrusion-detection systems”). By reading all incoming traffic and looking for
suspicious patterns, a network-based IDS tries to detect common malicious acts that
propagate though networks such as port scans, denial of service attacks, and login
attempts by unauthorized users (“Network”). A network-based IDS does not, however,
limit itself to incoming traffic only; outgoing or local traffic can be monitored as well in
order to detect possible attacks by insiders (“Network”).
In reality, most IDSs used in the real world are neither purely host-based nor
purely network-based. They are actually hybrids which combine the approaches used by
both types. A hybrid IDS combines data from a host agent with network information in
order to form a comprehensive view of an entire network (“Intrusion-detection systems”).
Besides their classification by location, IDSs can also be classified by how they
actually detect intrusions. A signature-based IDS (also known as a misuse detection IDS)
identifies traffic patterns or application data presumed to be malicious by matching the
data it monitors against a set of “known” attacks (“Intrusion Detection”). It works much
like anti-virus software in that it compares the information it gathers to a large database
of previously documented attack “signatures,” looking for specific attacks (“Intrusion-
detection systems”). In this sense, a signature-based IDS is only as good as its list of
attacks which it is able to detect (“Intrusion-detection systems”).
An anomaly-based IDS, on the other hand, has no predefined set of attacks for
which it checks. Instead, it compares the information it gathers to a “normal” baseline
based on other, previously gathered information (“Intrusion Detection”). Through self-
learning, an anomaly-based IDS defines for itself what a normal system state is by
statistically analyzing characteristics such as traffic load, breakdown, protocol, typical
packet size, etc (“Intrusion-detection system”). Once this baseline has been defined, it
then classifies each piece of information it examines as either normal (falling within
some preset range around the baseline) or anomalous (outside of that range)
(“Anomaly”). Whereas a signature-based IDS is quite limited in what it can detect, an
anomaly-based IDS can detect any type of misuse that is not considered normal system
Once an IDS has determined that an intrusion has occurred, there are several
actions that it can take. Generally, intrusion detection does not include the prevention of
intrusions, and taking action to stop an intrusion or prevent it from happening again is
outside of the scope of intrusion detection (“Intrusion Detection”). When an IDS detects
an intrusion, it usually logs the relevant information to some kind of database, and then
perhaps generates an alert in the form of an e-mail or pager message to let the appropriate
party know what has occurred (“Intrusion Detection”). Most IDSs operate in this
manner, and are known as “passive” systems (“Intrusion-detection system”). However,
there are “reactive” systems which take actions upon detecting an intrusion such as
logging off an unauthorized user or reconfiguring a firewall to block traffic from a
malicious attacker (“Intrusion-detection system”).
A Bit of History
In 1972, James P. Anderson realized that several problems existed with network
security audit logs. Back then, logs existed as large amounts of dot-matrix fan-folded
paper which was not easily analyzable for intrusions (Innella). In 1980, Anderson was
hired to improve the security auditing and surveillance capability of a company’s
systems. During the investigation, Anderson suggested that audit trails could be useful
for tracking misuse and understanding user behavior (Innella). Anderson wrote his
findings in the groundbreaking article “Computer Security Threat Monitoring and
Surveillance,” and the concept of automated intrusion detection was born.
In his article, Anderson made many suggestions for ways to improve monitoring
computer usage in order to detect misuse and intrusions. At the time, the customer kept
audit trails on a weekly or monthly basis. The data was dumped into a single file from
which various reports (primarily for accounting purposes) were produced. After
producing these reports, the customer transferred all data to a tape, and had several years
of raw data in this format. The audit trail data was mostly distributed to customer data
processing personnel (rather than IT), and in general, the users of a company database or
application did not receive any relevant security audit trail data. The company’s audit
data could detect unauthorized access based on user identification. However, the system
was flawed; it did not take into account users who operated at a level of control that
bypassed application level auditing. By gaining access to an account, a hacker could
escape detection, and even a valid programmer could abuse their privileges and access
lower level database files without leaving a trace. Since most operating systems back
then lacked built-in access control mechanisms, these logs also placed a heavy burden on
the customer’s system. Audit trails were rarely complete enough to support the needs of
the security officers (Anderson).
Anderson divided malicious attacks into three categories: external penetration,
internal penetration, and misfeasance. The categorization of an attack was based on
whether or not an attacker had authorized access to a computer they were penetrating and
whether or not that attacker had access to the resources that they were accessing.
External penetration occurs when the attacker has neither access to the computer nor the
resource. Internal penetration occurs when the attacker has gained use of a machine, and
has thus overcome a major barrier to unauthorized access. Misfeasance involves the
misuse of authorized access both to the system and to its data (Anderson).
In order to detect abnormal use, Anderson proposed creating a profile of the
characteristics of normal computer use for legitimate users doing legitimate tasks. A
user’s profile included both the list of programs they usually ran as well as the data files
that entered their programs. Also, several time parameters were included, such as the
time of day a job was run, the day of the week the job was run, and the amount of time
the job took to run. Abnormal behavior could then be detected by viewing the variability
in these time parameters, usually by viewing the sum of the squares of the absolute values
of the difference between average time for a user and a measured time with the formula,
score i 1 Ai Bi . This formula showed whose login patters exhibited the greatest
variability, which may have been the result of illicit use. If a parameter ever fell more
than 2.58 standard deviations from the mean in either direction, this would be reported as
an exception (Anderson). Obviously, these ideas very closely resemble an anomaly-
In 1983, Dr. Dorothy Denning of SRI International began working on a new IDS
for the government. Denning and Dr. Peter Neumann created the Intrusion Detection
Expert System (IDES), the first functional IDS for a Navy SPAWAR contract. The
system’s goal was to analyze audit trails from government mainframe computers and to
create profiles of users (Innella). In 1987, Denning published “An Intrusion-Detection
Model” based on the hypothesis that security violations can be detected by monitoring a
system’s audit records for abnormal patterns of system usage.
In her paper, Denning theorized that four factors motivated the development of a
real-time intrusion detection system. First, security flaws in existing systems allowed
intrusions and finding and fixing all these deficiencies was not feasible for technical and
economic reasons. Second, existing systems had flaws that could not be replaced by
more secure systems due to important features which only existed in the less secure
systems. Third, creating a system which was completely secure was almost impossible.
Lastly, secure systems were still open to misuse and abuse by insiders (Denning).
Denning’s model borrowed a lot from Anderson’s in that it was highly
statistically based. Her model included six main components: subjects (who initiate
activity), objects (the resources in the system: files, commands, devices, etc.), audit
records (created by the system and based on the actions of the subjects), profiles
(structures which characterize the subject’s behavior), anomaly records (created when
abnormal behavior is detected), and activity rules (actions taken when certain conditions
are met). The model worked as a rule-based pattern matching system which observed
standard operations on the system, looking for abnormal usage (Denning).
Activity profiles for a subject’s behavior were recorded in terms of a statistical
metric and a model. The metric represented a quantitative measure calculated over a
period of time. Types of metrics included the event counter (number of audit records
satisfying some property), interval timer (the length of time between two related events),
and resource measures (the quantity of resources used by an action). The statistical
models contained metrics and determined if a new observation was abnormal compared
with previously found values (Denning).
These two groundbreaking papers set the stage for future progress in the realm of
intrusion detection. In 1989, Haystack Labs became the first commercial vendor of IDS
tools. Among these was Stalker, a host-based, signature-based IDS (Innella). During the
early 1990’s, Science Applications International Corporation (SAIC) introduced
Computer Misuse Detection System (CMDS), a host-based IDS (Innella). In 1990, Todd
Heberlein introduced the ideas of network-based intrusion detection and distributed IDSs
(dIDS) (Innella). That same year, the Air Force's Cryptologic Support Center created the
Automated Security Measurement System (ASIM) which monitors network traffic on the
US Air Force's network. ASIM was designed for scalability and portability, issues that
had previously inhibited network-based IDS products. It was the first hybrid IDS, a
system that combined both hardware and software (Innella). In 1994, the Wheel Group
introduced NetRanger, the first commercially viable network-based IDS (Innella).
In 1998, Presidential Decision Directive 63 (PDD-63), “[set] a goal of a reliable,
interconnected, and secure information system infrastructure by the year 2003” (Clinton)
bringing information security into the public eye and prompting more companies to
produce IDS products. Within a few years, companies such as ISS, Cisco, Symantec and
others created their own IDS products or merged with companies that sold them (Innella).
Due to the increasing concern over information security, many companies have
introduced a wide variety of IDS products. Obviously, due to the multitude of products
currently on the market, this report can only cover a small portion of them. Instead, it
will concentrate on products from major, well-trusted companies and extremely popular
systems, rather than smaller companies or systems for specialty networks or hosts.
Cisco, one of the leading manufacturers of networking equipment, sells IDS
products. The Cisco Intrusion Detection System has the ability to simultaneously protect
multiple network subnets through the support for multiple sniffing interfaces, thereby
delivering up to five sensors in one. The Cisco Secure IDS Sensors incorporate user-
defined feedback, so that the system can automatically eliminate specific connections
identified with the unauthorized activity. Only the unauthorized traffic from internal
users or external intruders will be quickly and effectively removed. By instantly
changing Access Control Lists (ACLs) of Cisco routers as unauthorized activity is
detected, Cisco Secure IDS can dramatically improve security posture (“Cisco
In addition to the Cisco Intrusion Detection System, Cisco offers a broad family
of products, all of which follow an inverse relationship between their price and the
amount of traffic that they can handle. Smaller businesses can pay less for a system that
handles less traffic, while larger businesses can spend more for a system that handles
more traffic. For smaller businesses, Cisco offers the Cisco Secure IDS-4210 Sensor and
Cisco IDS-4215-K9 Sensor which handle 45Mbps and 80 Mbps traffic respectively.
Either can be easily purchased for less than $8,000. Larger businesses would be more
interested in the Cisco IDS-4235-K9 or Cisco IDS-4250-TX-K9 which handle up to 200
Mbps and 500Mbps traffic and sell for less than $19,000 and $25,000 respectively
Symantec, an information security company famous for its anti-virus software,
produces Symantec Host IDS. Symantec Host IDS protects information assets with a
complete library of intrusion detection signatures, and includes regular updates from
Symantec (“Enterprise”). The basic system sells from around $280 to $330 per copy
(“Symantec Host”). Symantec also offers a few add-ons. ManHunt Smart Agent allows
IT administrators to feed events from an IDS into ManHunt in order to monitor and
analyze the events from the ManHunt administration console. This add-on is available
for Symantec Host IDS, as well as several other IDS systems (“Symantec Announces").
McAfee, another company famous for anti-virus software, produces the McAfee
IntruShield. The product family includes IntruShield 4000, IntruShield 2600, and
IntruShield 1200 scaling from 100’s of Mbps to multi-gigabit bandwidth rates. Each
level of IntruShield is available in two styles. IntruShield Global Manager provides
global intrusion prevention system (IPS) deployments of up to several hundred sensors.
IntruShield Manager is suited for distributed deployments supporting up to six sensors.
Both systems feature virtual IPSs and an internal firewall to protect from overlapping
hybrid attacks. IntruShield also uses selective blocking attacks that can be user-initiated
or automated. The sensors can selectively block malicious packets or sessions (without
affecting legitimate traffic), terminate offending sessions, reconfigure firewall ACLs, log
packet sessions, and generate notifications by e-mail, PDA, and pager (“McAfee
Different products in the IntruShield family are oriented towards businesses of
varying sizes. For small business use, McAfee makes the IntruShield 1400 and 1200.
They can handle up to 200 Mbps of traffic on up to 4 x Fast Ethernet Ports (“McAfee®
IntruShield® Network”) and sell for around $6,000 to $12,000 (“McAfee IntruShield -
Froogle”). Larger business can choose from IntruShield 2700, 3000, 4000, and 4010,
which vary from 600 Mbps to 2 Gbps and have between 4 and 12 ports. Each product is
available in copper and fiber (“McAfee® IntruShield® Network”).
Tripwire, Inc., a leader in auditing software, concentrates on two IDS products.
Tripwire for Servers is designed for smaller organizations. It monitors servers and
desktops and allows management of thousands of installations. The system uses Secure
Sockets Layer (SSL), a security protocol that supplies authentication and data encryption
protection for every communication link between the Tripwire-equipped servers and the
Tripwire Manager. It also allows the user to create a “golden build” state of proper use
for comparison and provides multi-vendor support for monitoring servers and detecting
changes (“Change”). Tripwire for Servers sells for around $9,000 (“Techworld.com”).
Tripwire Enterprise is designed for larger organizations. It automatically directs third-
party tools to immediately restore changed systems to their trusted state and prides itself
on its thorough change archive. The system produces customizable reports and
dashboards to document the effectiveness of changes in management processes and
provides security for “millions of elements” including files, directories, registry settings,
directory server objects, and configuration files (“Tripwire”). Tripwire Enterprise costs
$3,999 for the server software and $595 per agent and $125 per agentless device on
which it is placed (“Review”).
Enterasys Dragon is well known for their wide variety of products for both host
and network IDSs. The Dragon® Host Sensor and Web Server Intrusion Prevention
determines if content has been changed via an MD5 hash. It also analyzes log files or
directories against signature policy and monitors for opened TCP and UDP ports for
protection against backdoor services. It detects suspicious privilege escalations and other
signs of kernel-level compromise and provides an open and easy interface for custom
module development (“Enterasys Dragon® Host”). The system costs anywhere from
$540 to $625 for one user license (“Dragon”) or $47,100 for a 100-use license (“Buy”).
Dragon Network Defense consists of three parts: Dragon Security Command Console, a
security information manager (SIM), Dragon Behavioral FlowProcessor, and Dragon
Behavioral Flow Sensor. Different models of the three parts can be chosen to customize
system to allow organizations to customize to their specific needs. The system also
provides a “before, during and after” view of vulnerabilities and uses flow-based
architecture for granular monitoring and data collection. It detects zero day attacks,
worms, viruses, DDoS attacks and other threats before they can spread with more than
10,000 signatures and events mapped to Dragon (“Enterasys Dragon® Network”).
Sourcefire is an IDS from the creators of Snort (“SOURCEFIRE”). It provides
line speeds from 3 Mbps to 4 Gbps (“SOURCEFIRE”). The hardware, software, and
operating system are optimized for mission-critical applications with a latency of
approximately 100µs (“Sourcefire Network”). Sourcefire provides protection for VoIP
(“Sourcefire Network”). Sensor throughput varies between models (“SOURCEFIRE”).
The models range from the IS500, with a throughput of 5 Mbps and a price tag of $3,500,
to the IS5800, with a throughput of up to 8 Gbps and a cost of $78,500
As with any technology, there are several issues concerning IDSs that must be
considered. In security, one of the fundamental tradeoffs is that of security versus
performance. As we make a system more secure, we inevitably hinder performance, and
IDSs are no exception to this rule. Even from their inception, Anderson noted that as the
number of legitimate users of a system grows, an IDS will begin to log an extremely high
amount of login information, consuming system resources such as CPU time and disk
storage space (Anderson). If we attempt to remedy this problem by limiting the amount
of login audit data we collect, the IDS becomes less effective, hindering security
(Anderson). Network-based IDSs suffer greatly from this performance problem. During
a flood-type attack (or any period of high traffic), most network-based IDSs become so
busy capturing packets that they cannot readily analyze them to deduce that a denial of
service attack is occurring (Bace). An attack can sometimes cause the IDS to crash,
rendering it ineffective. If the IDS does in fact detect the attack and drop packets in order
to keep itself online, we lose security because we will never be able to analyze the
dropped packets (Ranum).
IDSs also tend to suffer from a problem with false positives (McClure). It is
desirable to minimize the number of false positives that are triggered, as they are
extremely bothersome. Whenever an IDS generates an alert, the person responsible for
receiving alerts has to respond, perhaps taking time away from other important work.
These false alarms greatly reduce productivity. During its initial period of installation, an
anomaly-based IDS has to analyze a large amount of information in order to form its
baseline, often requiring extensive “training sets” of system event records in order to
characterize normal behavior patterns (Bace). During this initial training phase, the IDS
produces many false positives (“Understanding”). However, after training, even
legitimate users (and networks) can often exhibit behavior which is “abnormal (Bace).”
The very nature of a job may be irregular; an employee may work on a problem for
varying amounts of time and at all times of the day, making it very hard for the IDS to
determine what normality is (Anderson). Thus, although false positives can be
minimized over time, they can never be reduced to zero, and there will always be some
annoyance for security personnel.
Besides issues with performance and false positives, several smaller issues with
IDSs also exist. First, consider what happens when an IDS logs a series of invalid login
attempts. Someone reviews the logs, and tries to determine if an outside attacker is
attempting to crack into the network. But what if a legitimate user just mistyped his
password several times? The log reviewer then sees several close mutations of a
legitimate login in the audit log, and may be able to deduce the actual password for an
account to which he is not authorized (Anderson).
Next, consider a case in which host-based IDSs are installed for use in a
distributed system. They are difficult to manage, as individual differences between
systems require administrators to customize each installation (Bace). Besides sapping the
CPU time and eating up storage space on their host system, they make tempting targets
for attackers as well. Host-based IDS are susceptible to denial-of-service attacks, as they
generally focus more on application data and system calls than network packets. Once
the IDS has been disabled via a denial-of-service attack, the attacker can then hack into
the system undetected (Bace).
Also, IDSs cannot read encrypted traffic (McClure). Although they may be able
to monitor the flow of packets throughout a network, IDSs cannot actually discern the
upper-layer contents of most of those packets. If a malicious user launches at attack at
the application layer, all of the packets he sends will remain encrypted until they reach
the application layer of the target host. IDSs generally do not monitor application data as
closely as system data, and thus they are more vulnerable at the application layer. As is
the case with a denial-of-service attack, an application level attack may disable the IDS,
leaving the computer open for hacking (Bace).
There is even some debate over whether or not IDSs are effective at all. All an
IDS can do if tell you that you have been attacked. It cannot actually back-track the
attacker, which would be very difficult anyway for even the most technically skillful
expert (Howarth). It cannot determine if the attack was successful, only that it occurred
(Bace). Even Anderson noted that some malicious users (particularly insiders) can be
nearly impossible to detect, as they possess correct usernames and passwords and never
login at inappropriate times (Anderson).
Intrusion detection fills a needed role in network security. Most companies today
have to worry more about corporate espionage and internal spies that random outside
attacks, which are much easier to detect and prevent. Anderson and Denning realized
that outside attacks as well as internal attacks and internal misuse could all be detected by
analyzing already existing audit log data. Because of their papers, there exists today a
great variety of intrusion detection systems, all of which alert network administrators
whenever anything suspicious occurs which may be an attack.
Recent commercial and political interest in information security, as emphasized in
PDD-63, has encouraged a commercial explosion of intrusion detection products. These
products cater to a wide range of customers with different needs and different budgets.
However, IDSs are by no means a panacea for network security. They provide one piece
of the puzzle, a means by which to detect attacks that slip through other network
defenses. Not only must they be combined with other controls, but they have their own
slew of issues due to their relative infancy. We are confident, though, that future research
will come up with solutions to these issues, and IDSs will become as commonplace in
networks as firewalls and backups.
Anderson, James P. “Computer Security Threat Monitoring and Surveillance.” History of
Computer Security. 26 Feb. 1980. Computer Security Resource Center. 18 Mar.
“Anomaly-based intrusion detection system.” Wikipedia: The Free Encyclopedia. 21
Aug. 2005. 14 Mar. 2006 <http://en.wikipedia.org/wiki/Anomaly-based_intrusion
Bace, Rebecca, and Peter Mell. “Intrusion Detection Systems.” NIST Computer Security
Special Publications. Nov. 2001. National Institute of Standards and Technology.
18 Mar. 2006 <http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf>.
“Buy Enterasys DSHSS7-100-LIC at Provantage.” Provantage. 24 Mar. 2006
“Change Auditing, Server Monitoring & Security for System Availability | Tripwire for
Servers.” Tripwire. 24 Mar. 2006 <http://www.tripwire.com/products/servers/
“Cisco Intrusion Detection System Appliance and Module Installation and Configuration
Guide.” Cisco Systems, Inc. 2004. 4 Mar. 2006 <http://www.cisco.com/
Clinton, William J. “PROTECTING AMERICA'S CRITICAL INFRASTRUCTURES
(PDD 63).” 22 May 1998. 8 Apr 2006 <http://www.fas.org/irp/offdocs/pdd-
“Computer insecurity.” Wikipedia: The Free Encyclopedia. 8 Apr. 2006. 10 Apr. 2006
Denning, Dorothy. “An Intrusion-Detection Model.” IEEE Trans. on Software Eng. Feb.
1987. IEEE. 18 Mar. 2006 <http://www.cs.georgetown.edu/~denning/infosec/ids-
“Dragon® Host Sensor and Web Server Intrusion Prevention - Froogle.” Froogle. 4 May
“Enterasys Dragon® Host Sensor and Web Server Intrusion Prevention.” Enterasys. 24
Mar. 2006 <http://www.enterasys.com/products/ids/DSHSS7/>.
“Enterasys Dragon® Network Defense.” Enterasys. 24 Mar. 2006 <http://
“Enterprise: Products & Services - Symantec Corp.” Symantec. 24 Mar. 2006 <http://
“Host-based intrusion-detection system.” Wikipedia: The Free Encyclopedia. 26 Jan.
2006. 14 Mar. 2006 <http://en.wikipedia.org/wiki/Host-based_intrusion-
Howarth, Fran. "Enterprises under attack - the role of intrusion prevention technologies."
IT-Director. 4 Mar. 2006 <http://www.itdirector.com/article.php?
“immixTechnology - GSA Schedule Pricing.” immixTechnology. 24 Mar. 2006 <http://
Innella, Paul. “The Evolution of Intrusion Detection Systems.” SecurityFocus. 16 Nov.
2001. 29 Mar. 2006 <http://www.securityfocus.com/infocus/1514>.
“Intrusion Detection.” Wikipedia: The Free Encyclopedia. 3 Jan. 2006. 4 Mar. 2006
“Intrusion-detection system.” Wikipedia: The Free Encyclopedia. 6 Mar. 2006. 14 Mar.
“McAfee IntruShield 1200, 1400, and 2700 Network IPS Appliances.” McAfee. 4 Mar.
“McAfee IntruShield - Froogle.” Froogle. 4 Mar. 2006 <http://froogle.google.com/
“McAfee® IntruShield® Network IPS Appliances.” McAfee, Inc. 2006. 4 Mar. 2006
McClure, Stuart, and Joel Scambry. "Once-promising intrusion detection systems
stumble over a myriad of problems." InfoWorld (2005). 4 Mar. 2006 <http://
“Network intrusion detection system.” Wikipedia: The Free Encyclopedia. 31 Jan. 2006.
14 Mar. 2006 <http://en.wikipedia.org/wiki/Network_intrusion_detection_
Ranum, Marcus J. "Intrusion Detection: Challenges and Myths." Window Security.com
(2002). 4 Mar. 2006 <http://www.windowsecurity.com/whitepaper/info/ids/
“Review: Tripwire Enterprise provides robust, intrusion reporting.” SearchSecurity.com.
4 Mar. 2006 <http://searchsecurity.techtarget.com/
“Sourcefire Network Security - Intrusion Sensor.” Sourcefire. 24 Mar. 2006 <http://
“SOURCEFIRE PRODUCT OVERVIEW: Sourcefire 3D System.” Sourcefire. 4 Mar.
“Symantec Announces ManHunt Smart Agent for Symantec Host IDS.” Symantec. 24
Mar. 2006 <http://www.symantec.com/press/2003/n030127a.html>.
“Symantec Host IDS - Froogle.” Froogle. 4 Mar. 2006 <http://froogle.google.com/
“Techworld.com - Tripwire for Servers/Manager 4.” Techworld.com. 24 Mar. 2006
“Tripwire Enterprise | The Premiere Change Auditing Solution for IT Infrastructure.”
Tripwire. 24 Mar. 2006 <http://www.tripwire.com/products/enterprise/
"Understanding Intrusion Detection Systems." Niscc Technical Note 19 Nov.-Dec. 2003.
18 Mar. 2006 <http://www.niscc.gov.uk/niscc/docs/re-20031119-