An intrusion detection system monitors a computerized environment for policy violations and other indicators of malicious activities. For example, an intrusion detection system for a computer system typically monitors the computer system for the presence of viruses and malware. As another example, an intrusion detection system for a computer network typically monitors network communications for cyberattacks and other malicious transmissions.
During operation of an intrusion detection system, a skilled intrusion detection expert defines what the system scans for (e.g., particular artifact patterns, behaviors, etc.). Typically, such scanning configuration is based on the expert's previous experience (e.g., learning from past incidents) and knowledge (e.g., a manual research for the best intrusion detection policies and thresholds). With such experience and knowledge at hand, the expert may make modifications to policies, thresholds, etc. used by the intrusion detection system in order to keep up with evolving threats.