Intrusion detection and the role of the system administrator

When system administrators monitor the security of computer network(s) they often use an intrusion detection system (IDS). The IDS examines events (in network traffic, operating systems, etc.) and raises an alarm if the events are believed to be symptoms of an intrusion. A number of studies investigate IDSs from a technical perspective. These studies typically investigate the technical quality of different solutions in terms of variables such as the probability of attack detection, probability of false alarm, performance constraints or attack coverage (Mell et al. 2003; Biermann 2001). In practice, however, the IDS is not a standalone entity which makes decisions, but a tool used by system administrators. The IDS administrator monitors the IDS output to filter out false alarms and attempts to verify if compromise has occurred, for example, by investigating the affected system directly (Werlinger et al. 2010). Hence, in operational environments the output of an IDS is processed by an administrator who tries to detect and respond to attacks.