Firewalls can only deter, not prevent, break-ins. Once a hacker breaks into your computer, a firewall won't provide any protection whatsoever. At this point, you need an intrusion-detection system (IDS). Where firewalls act like locked doors and windows leading to your computer, intrusion-detection systems act more like burglar alarms to alert you when an intruder has already broken in. Few personal computers use an IDS, although most corporate computers, such as webservers, use one.

How intrusion-detection systems work

To protect against known hacker attacks, an IDS may do something called signature analysis, which means that the IDS recognizes the unique characteristics or "signatures" of common hacker attacks, such as those often created by script kiddies. When an IDS detects the signature of a hacker attack, the IDS will know exactly how to stop that particular attack.

Because hackers keep coming up with new strategies for breaking into a computer, an IDS can't rely on signature analysis alone. To complement signature analysis, an IDS may monitor a network or computer and look for suspicious activity, such as increased traffic coming from an obscure port or repeated attempts to log on to the computer. When the IDS detects suspicious behavior, it contacts the system administrator. By using an IDS, system administrators don't have to search for a hacker by manually scanning the log files or tediously monitoring Internet connections on their own.

Since many hackers often replace some of the computer's existing programs with Trojan horse versions that will let the hacker hide, many intrusion-detection systems include a file integrity checker. This simply calculates a mathematical result (or checksum) for each file based on that file's size. Now if a hacker replaces a file, that file will likely change in size, so when the IDS does a routine check of the computer's files, it will notice the file-size change and alert the system administrator.

To learn more about intrusion-detection systems and to download various IDS programs for Windows and Linux, visit these sites:

Internet Security Systems




How intrusion-detection systems fail

An IDS works as an aid to a system administrator, but it isn't meant to replace a real person. By itself, an IDS won't stop a hacker, but it can alert you when a hacker may already be in your computer. Unlike a firewall or an antivirus program, you must respond to every alarm from the IDS. If the IDS generates too many false alarms, the system administrator is likely to get bored and ignore most of the warnings altogether.

To make an IDS fail, hackers often attack a computer, such as with a denial-of-service attack, thereby setting off the IDS alarm. While the IDS and system administrator's attention is focused on the denial of service attack, the hacker can try to slip into the computer undetected.

Since intrusion-detection systems look for signatures of known attacks or evidence of suspicious activity, hackers can alter their attack methods to avoid alerting the IDS. Also, an IDS is nothing more than a computer program with its own share of bugs and flaws, so if hackers can identify the specific IDS program on a computer, they may be able to use known flaws to disable or bypass the IDS completely.