CHAPTER 2 INTRUSION DETECTION SYSTEMS 2.1 Introduction An intrusion as defined in Balasubramaniyan et al. [4] is any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource. Intrusion detection is the technique of determining that an attempt has been made at compromising the resource, or worse the resource has been compromised. One point that needs to be made clear is that, intrusion detection systems (IDSs) do not detect intrusions; they detect evidence or manifestations of intrusions, either while the intrusion is in progress or after an intrusion has occurred. 2.2 Types of Intruders Intruders are basically of two types: external and internal. External intruders do not have any authorized access to the system they attack. Internal intruders on the other hand have some access rights, but they seek to gain additional capability [22]. A surprisingly large number of security breaches are due to internal intruders. Their motivation to hack is either because they can hack, to cause destruction if they are disgruntled employees, or to profit from the company. 2.3 Approaches to Intrusion Detection There have been two approaches to detecting intrusions: anomaly detection and misuse detection.