You are here: Home Contents V5 N2 V5N2_Goodall.html
Personal tools

Supporting Intrusion Detection Work Practice



Full text

Journal of Information System Security
Volume 5, Number 2 (2009)
Pages 4273
ISSN 1551-0123
John R. Goodall — Applied Visions, USA
Wayne G. Lutters — University of Maryland, USA
Anita Komlodi — University of Maryland, USA
Information Institute Publishing, Washington DC, USA




In an increasingly networked world, information security is an increasingly important domain, but one that is not well understood. Yet, an understanding of how this work is accomplished is crucial to designing tools and management policies to better support it. The work practice of intrusion detection analysts is a complex fusion of individual and collaborative resource monitoring and problem solving. This paper details the practice of intrusion detection work, specifically highlighting the tasks that make up the work, and it concludes with a discussion of the implications that this work understanding has on future design of tools and organizational policies to make intrusion detection work more efficient.




Work Practice, Intrusion Detection, Computer Network Defense, Task Analysis, Collaboration




(2005), 2005 E-Crime Watch Survey. CSO magazine / U.S. Secret Service / CERT Coordination Center.

Allen J, et al. (1999), State of the Practice of Intrusion Detection Technologies.

Bentley R, et al. (1992), Ethnographically-Informed Systems Design for Air Traffic Control. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW), pp 123-129.

D’Amico A, et al. (2005), Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts. In Proceedings of the Human Factors and Ergonomics Society 49th Annual Meeting, pp 229-233.

Goodall JR, Lutters WG and Komlodi A (2004), I Know My Network: Collaboration and Expertise in Intrusion Detection. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW), pp 342-345, ACM Press.

Goodall JR, Lutters WG and Komlodi A (2009), Developing Expertise for Network Intrusion Detection. Information Technology & People 22 (2): 92-108.

Goodall JR, et al. (2006), Focusing on Context in Network Traffic Analysis. IEEE Computer Graphics and Applications 26 (2): 72-80.

Heath C and Luff P (1992), Collaboration and Control: Crisis Management and Multimedia Technology in London Underground Control Rooms. Journal of Computer Supported Cooperative Work 1 (1): 24-48.

Hughes J, Randall D and Shapiro D (1992), Faltering from Ethnography to Design. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW), pp 115-122.

Lave J and Wenger E (1990), Situated Learning: Legitimate Peripheral Participation. Cambridge: Cambridge University Press.

Lee W, Stolfo SJ and Mok KW (2000), Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14 (6): 533-567.

Luff P, Hindmarsh J and Heath C (Eds.) (2000), Workplace Studies: Recovering Work Practice and Informing System Design. Cambridge: Cambridge University Press.

Lutters WG and Ackerman MS (2002), Achieving Safety: A Field Study of Boundary Objects in Aircraft Technical Support. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW), pp 266-275.

McHugh J (2001), Intrusion and Intrusion Detection. International Journal of Information Security 1 (1): 14-35.

Roesch M (1999), Snort - Lightweight Intrusion Detection for Networks. In Proceedings of Thirteenth Systems Administration Conference (LISA), pp 229-238.

Simon HA (1957), Models of Man. New York: John Wiley and Sons. 

Star SL and Strauss A (1999), Layers of Silence, Arenas of Voice: The Ecology of Visible and Invisible Work. Journal of Computer Supported Cooperative Work 8 (1-2): 9-30.

Stolze M, Pawlitzek R and Hild S (2003a), Task Support for Network Security Monitoring. In ACM CHI Workshop on System Administrators Are Users, Too: Designing Workspaces for Managing Internet-Scale Systems.

Stolze M, Pawlitzek R and Wespi A (2003b), Visual Problem-Solving Support for New Event Triage in Centralized Network Security Monitoring: Challenges, Tools and Benefits. In GI-SIDAR conference IT-Incident Management & IT-Forensics (IMF).

Strauss A and Corbin J (1998), Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. SAGE Publications, Thousand Oaks, CA.

Wenger E (1998), Communities of Practice: Learning, Meaning, and Identity. Cambridge: Cambridge University Press.

Wenger E, McDermott R and Snyder WM (2002), Cultivating Communities of Practice: A Guide to Managing Knowledge. Boston, MA.: Harvard Business School Press.

Yurcik W, Barlow J and Rosendale J (2003), Maintaining Perspective on Who Is the Enemy in the Security Systems Administration of Computer Networks. In ACM CHI Workshop on System Administrators Are Users, Too: Designing Workspaces for Managing Internet-Scale Systems.