Detection: monitor the system & detect anomalies or activities that
indicate a break-in and report it.
signature analysis: compare log data with predefined attack
signatures. Only known attack methods detectable.
static-state analysis: vulnerabitlity & configurution analyses
dynamic analysis: determine if an attack (suspicious activities) is
underway
Profiles:
vulnerability profiles: list of known vulnerabilities; compared to
system with scanner
system profiles: model of the processes, users, activities expected on
a system compared to actual statistics.
network profiles: maount & type of traffic to estavlish normal work
patterns. detect abnormalities.
user profiles: detect deviation fr standard behavior of user.
attack profiles: artifacts (fingerprints) left by (attempted) attack;
in logs.
self-monitoring profiles: IDS monitors itself
Offline methods: analyze system while not operational
configuration & system scanning for vulnerabilities (eg. virus scan)
Online methods: evaluate state info from operation of the system