IDS xem đối với các hành vi vi phạm bí mật, toàn vẹn và tính sẵn sàng. Các cuộc tấn công được công nhận bởi một IDS có thể đến từ kết nối bên ngoài (chẳng hạn như Internet hoặc các mạng đối tác), virus, mã độc hại, đáng tin cậy đối tượng nội bộ cố gắng để thực hiện các hoạt động trái phép, | Intrusion Detection 33 Intrusion Detection An intrusion detection system IDS is a product that automates the inspection of audit logs and real-time system events. IDSs are primarily used to detect intrusion attempts but they can also be employed to detect system failures or rate overall performance. IDSs watch for violations of confidentiality integrity and availability. Attacks recognized by an IDS can come from external connections such as the Internet or partner networks viruses malicious code trusted internal subjects attempting to perform unauthorized activities and unauthorized access attempts from trusted locations. An IDS is considered a form of a technical detective security control. An IDS can actively watch for suspicious activity peruse audit logs send alerts to administrators when specific events are discovered lock down important system files or capabilities track slow and fast intrusion attempts highlight vulnerabilities identify the intrusion s origination point track down the logical or physical location of the perpetrator terminate or interrupt attacks or intrusion attempts and reconfigure routers and firewalls to prevent repeats of discovered attacks. A response by an IDS can be active passive or hybrid. An active response is one that directly affects the malicious activity of network traffic or the host application. A passive response is one that does not affect the malicious activity but records information about the issue and notifies the administrator. A hybrid response is one that stops unwanted activity records information about the event and possibly even notifies the administrator. Generally an IDS is used to detect unauthorized or malicious activity originating from inside or outside of your trusted network. The capability of an IDS to stop current attacks or prevent future attacks is limited. Typically the responses an IDS can take against an attack include port blocking source address blocking and disabling all communications over a .