Long-Term Intrusion Detection Using Network Monitoring

For example, many worms or viruses cause sudden changes in the amount and type of network traffic when they start to spread. Modern computer hackers pose a strong threat from the outside. If an organization's network is unprotected, a single hacker can easily wreak havoc to vital resources. Just as monitoring and security applications have evolved, hackers have gladly stepped up to the challenge. You may think that having good defensive features like VPNs, firewalls etc. is enough. But hackers are always using new and more sophisticated methods to try to access company systems. Tools like automated hacker robot and Trojans perform automated sweeps of the Internet searching for devices with access vulnerabilities.

As soon as they find one they try to break in and use your systems for malicious activity. Most of that activity will lead to changes in network usage pattern and to downtimes in your own services. Also keep in mind that the most dangerous threats come from the inside: employees that install or run malicious software either by intention or because they do not know better pose a much larger threat to your network. If that happens you have the problem inside of your network.

The conclusion is that you have to prepare for these threats in two ways: Use pro-active tools like firewalls and intrusion detection systems (IDS) as well as proper monitoring of your network usage. For a new threat your IDS and firewall may not be prepared yet. So only with monitoring you will be able to see intrusions that your firewall or IDS device may not yet be aware of.