To read the full version of this content please select one of the options below:

Intrusion detection and the role of the system administrator

Teodor Sommestad (Swedish Defence Research Agency (FOI), Linköping, Sweden)
Amund Hunstad (Swedish Defence Research Agency (FOI), Linköping, Sweden)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 15 March 2013




The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS.


An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews.


The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator.


Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.



Sommestad, T. and Hunstad, A. (2013), "Intrusion detection and the role of the system administrator", Information Management & Computer Security, Vol. 21 No. 1, pp. 30-40.



Emerald Group Publishing Limited

Copyright © 2013, Emerald Group Publishing Limited