 Welcome back to this course. The topic of this week will be intrusion detection. Let's first have a look at what intrusion detection means. Let's assume we have a communication flowing between endpoints in a network. This communication flows will carry either benign traffic or malicious traffic, that is, traffic to aim at compromising the correct functioning of network and services. The process of identifying malicious activities targeted at computing and network resources is referred to as intrusion detection. The underlying assumption when doing intrusion detection is that attack traffic will look different to a certain extent for normal traffic, and therefore a system will be able to separate the two based on a set of characteristics. On the high level, an intrusion detection system, or IDS, has therefore the tasks of inspecting traffic and taking actions when malicious traffic is identified. This week we will explore the following topics. After this introduction, we will see and learn about the basic concepts and the most important types of IDSes. Then we will investigate how it is typically evaluated if an IDS performs well or not, and how IDSes can be tuned to work in a specific environment. We will then look into an existing IDS, secure, a flow-based network intrusion detection system against SSH attacks. And finally, we will summarize.