Intrusion detection and the role of the system administrator

Teodor Sommestad (Swedish Defence Research Agency (FOI), Linköping, Sweden)
Amund Hunstad (Swedish Defence Research Agency (FOI), Linköping, Sweden)

Information Management & Computer Security

ISSN: 0968-5227

Publication date: 15 March 2013



The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS.


An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews.


The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator.


Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.



Sommestad, T. and Hunstad, A. (2013), "Intrusion detection and the role of the system administrator", Information Management & Computer Security, Vol. 21 No. 1, pp. 30-40.

Download as .RIS



Emerald Group Publishing Limited

Copyright © 2013, Emerald Group Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.
To rent this content from Deepdyve, please click the button.