Knowledge-based intrusion detection, also known as signature based, provides a proven and cost-effective line of protection. But much like the more familiar virus scanning systems, knowledge based ID can only detect and defeat known threats. When a new worm is created or when someone tweaks the code of an existing threat – events which occur with unfortunate regularity – knowledge-based systems are vulnerable until that variant is identified and cataloged.

To provide the proactive security needed in today’s dynamic IT environment, a new and more powerful form of intrusion detection has now emerged.

A behavioral approach

This new approach, called behavioral intrusion detection, uses sensors placed at strategic points throughout an organization’s network – such as at the firewall, on internal servers, databases and other locations – to monitor and analyze potential security threats.

The first generation of behavioral intrusion detection systems employed an initial ‘learning mode’ period, during which the data collected by these sensors is evaluated and stored, and used to create a profile of network behavior under typical operating conditions. Once a profile has been established, the system is switched to monitoring mode, and current network activity is compared to the profile to identify and investigate potential security threats.


Behavioral ID represents a notable advance in security protection, but those first-generation systems suffer from a timebased limitation not unlike those associated with library-based scans. Once the learning mode is switched off, these early generation behavioral systems can identify only those threats contained in the established and increasingly obsolete profile.

Nor can those set-profile systems adjust quickly enough to effectively monitor the changing behavior of robust enterprise networks – networks that change constantly as organizations launch new business initiatives, consumer demand fluctuates and security threats emerge and mutate.

Adaptive profiles

To meet the dynamic needs of today’s networks, a new generation of technology has now added a sophisticated adaptive capability to the science of behavioral intrusion detection.

These adaptive solutions collect data from host and network ID devices on an ongoing basis, and then constantly analyze and correlate that information to create a continually evolving – and thus always current – behavioral profile of the network. This predictive and adaptive approach essentially creates a custom security system for every organization, and provides optimum protection in an environment where both network traffic and security threats are constantly changing.