Computers have advanced to become part of our daily life, everywhere you go there is a computer network that’s been installed to perform a certain number of jobs; and the effectiveness of organisation’s business performance has become greatly dependent on the availability, reliability and security of these networks and the systems connected to it. This has resulted to the unfortunate fact that many systems connected to the internet is a target of a range of attacks especially organisations with hundreds of hosts, services and sensitive data. It is also equally true for small offices and isolated home users with no data to protect. This is because criminals would benefit greatly from the data they steal from big organisations; and in the case of small offices and home users, criminals would benefit from them by using them as a stepping stone so they can launch their attack without being caught.
From the beginning of 2003, the (SANS Internet Storm Centre ISC 2003) started to monitor the average survival time of un-patched machines and found that the time it takes to download patches is greater than the time to install the software. This means that before a system is fully patched attacks have already spread across the network at incredible speed. In many cases the speed of these attacks and the speed they spread across the network exceed the possibility of human intervention. Therefore the development of the components (hardware and software) that detects these attacks becomes extremely important.
As it has been mentioned by (Bruneau 2001); the rule-based method developed by Dorothy Dinning and Peter Neumann between 1984 and 1986 was used by the first IDS system. This work was influenced by a report published by James P Anderson in 1980 titled “How to use accounting audit files to detect unauthorised access”. This model was improved to create what is recognised today as the Next-Generation Intrusion Detection Expert System (Bruneau 2001, p.3).