Improvements in intrusion detection are disclosed by providing integrated
intrusion detection services. Preferably, these services are integrated
into a system or server that is the potential target of attack.
Stack-based security processing is leveraged for access to cleartext data
within the layers of the protocol stack. Layer-specific attacks may
therefore be processed efficiently. Evaluation of incoming traffic for an
intrusion is preferably performed only after an error condition of some
type has been detected. This approach reduces the overhead of intrusion
detection by reducing the number of packets to be inspected, and at the
same time allows more efficient packet inspection through use of
context-specific information that may be used to direct the inspection to
particular candidate attacks. Generic attack class capability is also
disclosed. Intrusion detection policy information may be used to direct
the actions to be taken upon detecting an attack.