Intrusion preludes may be detected (including detection using fabricated
responses to blocked network requests), and particular sources of network
communications may be singled out for greater scrutiny, by performing
intrusion analysis on packets blocked by a firewall. An integrated
intrusion detection system uses an end-node firewall that is dynamically
controlled using invoked-application information and a network policy.
The system may use various alert levels to trigger heightened monitoring
states, alerts sent to a security operation center, and/or logging of
network activity for later forensic analysis. The system may monitor
network traffic to block traffic that violates the network policy,
monitor blocked traffic to detect an intrusion prelude, and monitor
traffic from a potential intruder when an intrusion prelude is detected.
The system also may track behavior of applications using the network
policy to identify abnormal application behavior, and monitor traffic
from an abnormally behaving application to identify an intrusion.