2.1 Intrusion Detection Concept
The intrusion detection concept was founded by James Anderson in 1980(Anderson, 1980). In his report entitled “Computer Security Threat Monitoring and Surveillance,” Anderson states that it is possible to characterize normal use of a computer system thanks to statistical parameters in the records of users’ habitual activities, called audit trials. He demonstrates that the audit trials contain the relevant information to reconstitute user’s activities. Their analysis enables retracing and understanding the user’s behaviour. It identifies the abusive use of the computing resources, the privilege abuse, the excessive use of computer, and may reveal the ongoing and completed attacks. In this way, Anderson plants the original idea of intrusion detection, which was firstly focused on the mainframe environments. In 1986, Dorothy Denning concretised the ideas of Anderson by developing a prototype for Stanford Research Institute which was baptized « Intrusion Detection Expert System (IDES) ». It was destined to analyze audit trials of government systems and inspect user’s activity. In 1987, Denning published the foundations of IDES prototype in a paper entitled « An Intrusion Detection Model » (Denning, 1987). This publication was the beginning of the intrusion detection era. By the IDES, Denning proposed not only the first IDS but a methodological model revealing the necessary knowledge for the intrusion detection. This concept reaches thereafter a blossoming in research field and technology, thanks to the American government considerateness and financing granted to the research projects.
The intrusion detection is closely linked to the audit mechanism which is an ubiquitous functioning option in the modern operating systems (Mé, 1997) that records the events occurring in a computer system. An event may be any undertaken action in a computing system such as logging session, program execution or file access (An Introduction, 1995) (Noel et al., 2002). The recording of events is performed chronologically and takes the form of a file which includes the date and the time of the occurring event, the identifier of the user who initiates the event, the application employed to execute the event as well as the result of the event progress (success or failure). Audit trial is a chronological sequence of event records. It represents the full history of any user activity, system process or application process (An Introduction, 1995) (Mé, 1997). Audit trials analysis enables reconstructing the complete activity, determining its duration, the user who accomplished it, the involved system resources and the results of its achievement (success or failure).