Since computer networks and the Internet have been around, they have been vulnerable to malicious attacks. The trend of network security has been to prevent known network attacks while monitoring the network for new attacks. Recently, network administrators have also been trying to react to and prevent these attacks dynamically, meaning, as the attack occur. The action taken to block the intruder is taken immediately. Over the years, network administrators have been closing up ports and securing resources to improve security via firewalls and access control lists. This has caused attackers to increase their sophistication of attacks and level of knowledge about the existing network and system. Ever since, this has been an on-going struggle between attacker and network administrator. When the attacker finds a vulnerability in the network and exploits it, the network administrator needs to identify the intrusion and launch an application to take the appropriate action and block against future attacks. This leaves the attacker to find a new more sophisticated attack. And the cycle continues.
As it stands now, the main tool network security personnel use to identify attackers is an IDS or "Intrusion Detection System". And the main problem the network security personnel face is parsing and analyzing the torrent of log entries made by the IDS in order to make meaningful sense of it all. It's favorable to have the data analyzed and parsed in a timely manner so action can be taken to block the intruder in time if necessary. The way network administrators are dealing with the problem is through a few commercial software solutions  and by fine tuning IDS rule sets to eliminate false positives to return a more successful valid alert ratio.
2. Popular Methods of Intrusion
4. Methods of Defense and Prevention
When it comes to protecting networks, the security administrator has a few mechanisms. One method is to use a firewall. This essentially blocks traffic based on rule sets consisting of host addresses and/or port numbers. The more firewalls you set up between hosts on a network, the more you can isolate traffic and protect surrounding networks from an attack if an attack were to try to spread though out your network. Another mechanism is to use access control lists for your hosts and their applications. An access control list or acl is just a list of hosts that you want to allow access to. In this way, you can assure only known host addresses are being allowed to use the system and services. A 3rd line of defense isn’t really a defense but more of an alert system, its called IDS, or “Intrusion Detection System”. IDS is used to monitor and report known attack signatures contained in network data packets. Using firewalls, acls and an IDS are good for blocking the problems that are known, but what about preventing the unknown? As far as prevention goes, there really isn’t any good solid solution yet. Open source and commercial vendors are attempting to bring forth something called an IPS or Intrusion Prevention System. The main difference between an IDS and IPS is an IPS will not only log the attack but also take appropriate action to prevent the current attack to prevent any more damage. While this sounds like a good idea, its not quite being implemented successfully at the time. The problem is still identifying an attack from just random network “noise” (false positives). Attackers are always trying to disguise their intent so by the nature of the problem, it is hard to determine what is really an attack and what isn’t. Another problem for large non-homogenous networks is coordinating the response between hosts on the multiple large networks. On a large network, there might be many different hosts and many different firewalls all running different operating systems (such is the Internet) and they all need to take action against blocking a certain malicious host or vulnerable port or application. The difficulty of negotiating the proper response sometimes gets bogged down in semantics and non-homogeneous security APIs all existing on one network. It is favorable to have all hosts and firewalls to use the same APIs or protocols. This is possible on networks for a business but not likely to happen on the Internet as a whole. Even on a network with all the same host systems and security APIs, problems can arise when preventing an on-going attack.
Network security is still an emerging and fast evolving profession. Commercial vendors still fall short of their promises and the only real way to secure a network is to have as many sets of human eyes on security log files as often as possible to ensure the most reliable security. Most of the process can be automated but a human is still needed to look at the packet or intrusion attempt to determine if its malicious or not.