Definition
Intrusion detection identifies malicious activity:
\text{Observed χ-modes} \xrightarrow{\text{analysis}} \text{Threat detected?}
In SCU terms: IDS monitors χ-mode patterns for signatures of attack—distinguishing malicious from benign information state transitions.
Detection Types
| Type | What It Monitors |
|---|---|
| Network (NIDS) | Network χ-mode traffic |
| Host (HIDS) | System χ-mode activity |
| Hybrid | Both network and host |
Detection Methods
| Method | How It Works | χ-Mode Approach |
|---|---|---|
| Signature | Match known patterns | Compare to attack χ-templates |
| Anomaly | Detect deviations | Statistical χ-mode baseline |
| Behavior | Model normal activity | χ-mode sequence analysis |
| Heuristic | Rule-based detection | χ-mode policy matching |
Signal Detection Theory
\text{Detection} = \frac{\text{True positives}}{\text{True positives} + \text{False negatives}}
| Outcome | Meaning |
|---|---|
| True positive | Attack correctly detected |
| False positive | Benign flagged as attack |
| False negative | Attack missed |
| True negative | Benign correctly passed |
IDS vs IPS
| System | Action |
|---|---|
| IDS | Detect and alert |
| IPS | Detect and block |
Challenges
| Challenge | χ-Mode Difficulty |
|---|---|
| Encrypted traffic | Can't see χ-mode content |
| Zero-day attacks | No signature exists |
| Data volume | Too many χ-modes to analyze |
| Evasion | Attackers modify χ-mode patterns |
Base Rate Problem
Rare events + imperfect detection = many false positives:
P(\text{attack}|\text{alert}) \ll 1 \text{ even with good detection}
The Key Insight
Intrusion detection is χ-mode pattern recognition.
Finding attacks in information streams:
- Monitor χ-mode traffic and activity
- Match against known attack patterns
- Detect anomalies from baseline
- Balance detection vs false alarms
When an IDS identifies an attack, it's recognizing χ-mode patterns that indicate unauthorized information state transitions—separating malicious signals from normal activity.