A short guide to Log analysis, intrusion detection and event notification

They can prevent an attack from succeeding and minimize the damage if a security breach occurs. For example, software tools or network monitors can help by constantly monitoring network traffic looking for suspicious patterns or by watching for unusual changes in configuration or system files on a server.

By providing early warning of what could be an attack, these tools can drastically minimize the damage caused by an intrusion.

A network intrusion detection system monitors packets on the network and searches for patterns indicating that an intruder is attempting to break into a system (or cause a denial of service attack).

For example, a system could associate an unusually large number of TCP connection requests to many different ports on a target machine with an attempted TCP port scan. Such a system may run either on the target machine that watches its own traffic, or on an independent machine aggressively monitoring all network traffic.

A system integrity verifier monitors systems files to detect changes (for example, a hacker or program modifying an operating system to create a back door). The Microsoft Windows registry and UNIX crontab files are other examples of data to be monitored.

Log file monitors can be utilized to analyze the log files generated by network and IT devices and services, looking for patterns that indicate unusual activity (detecting a large number of failed logins as an attempt to break a user account, for example).