The Internet Security Glossary (RFC2828) defines an “Intrusion” as 8551: “A securityevent, or a combination of multiple security events, that constitutes a security incident in whichan intruder gains, or attempts to gain access to a system (or system resource) without havingauthorization to do so.”. The use of sophisticated means to exploit vulnerable system has beenemployed by intruders and attackers to:• Access unauthorized system over the network or internet remotely.• Gain unauthorized additional user privileges on a system.10• Misuse privileges granted for malicious gain.IDS enable organizations and enterprises to protect their system from the onslaught ofattackers/ malicious code 9548. On detecting an attack or intrusive behavior, IDS can beconfigured to respond, either by logging details of the attack and the attacker or by actively takingautomated actions to mitigate the further spread of the attack 5280. Careful considerationneeds to be taken while configuring IDS. Bad or misconfiguration of IDS may lead to either toomany alarms or false positives (FP), or undetected attacks or False Negatives (FN). Intrusiondetection is not a plug-and-play solution whereby Judy Novak highlights this as “Intrusiondetection is not a specific tool but a capability, a blending of tools and techniques” 676. Itrequires expert level knowledge, skill, and experience to install, configure and maintain suchsystems in a home or enterprise environment.Figure 2.1 shows the taxonomy of IDS and its detection techniques. An Intrusion DetectionSystem (IDS) is a system that monitors network or systems for malware activities and producesreports to an administration station 95. IDS arrive in a mixed bag of flavors and methodologywith the objective of detecting suspicious traffic in different ways. Intrusion-detection systemsaim at detecting attacks against computer systems and networks. Its task is monitoring of systemusage in order to detect any apparition of insecure states. They detect attacks and misuse ofinformation either by legitimate users of the system or external to exploit security vulnerabilitiesas mention by Teresa et al.(1988) 95. IDS can be described as a very macroscopic level as a11detector that processes information coming from the system to be protected. This detector canlaunch probes to trigger the audit process, such as requesting version numbers for applications787. In this research we will implement IOCRule into IDS for detection purposes. Thegeneration of IOCRule is done by analyzing malicious dataset using cuckoo sandbox and toextract IOC (features). IOCs are identities of intrusion behaviors in a system/network, whichstates with high degree of confidence of the type of attack or intrusion.With the increasing number of systems in a network environment, it has become necessaryto consider IDS not only in single hosts but in the whole networks. Besides Host IntrusionDetection System (HIDS) and Network Intrusion-Detection Systems (NIDS), there are manyderivations such as centralized-host-based intrusion-detection system (CHIDS) and HybridIntrusion-detection Systems. For the purpose of this research, we will look into network-basedIDS, as it is easy accessible (Open Source), unlike Host-based IDS which will require a purchaseof physical hardware system. Figure 2.1 shows the types of IDS. The placement of IDS in anetwork environment can be done before or after the network core switch or firewall. In networkimplementation utilizing IDS, the network engineer may place the IDS after the router as it isthe point of entry from external networks, and therefore, that makes it the point of attack ofevery network. IDS can be actualized in both hardware and software, or a blending of both.The main function of IDS is to monitor and detect unapproved users from getting into a privatesystem associated with the Internet, particularly intranet network and IDS present a log file tothe administrator for further action in the network attack 95.