An intrusion detection system monitors a computerized environment for indicators of malicious activities and takes a specified action in response to detecting such an indicator. In one example, an intrusion detection system monitors a computer system for the presence of malware (e.g., viruses and malicious code) and blocks such malware upon detection. In another example, an intrusion detection system monitors network communications for cyberattacks and other malicious transmissions and issues an alert upon detection.
In a conventional approach to operating an intrusion detection system, a skilled administrator defines the actions to be taken by the intrusion detection system in response to indicators of malicious activities. The administrator typically bases such definitions on sources of intelligence such as reports of emerging threats. In choosing the sources of intelligence and defining the actions to be taken, the administrator applies considerable experience and knowledge so that the intrusion detection system may keep up with emerging threats.