Intrusion Detection: Concepts, Challenges, and Best Practices

Large internet companies constantly face the challenge of detecting intrusions. High‑value enterprises are attractive targets, and successful breaches can cause severe damage.

We define intrusion as any unauthorized control or use of resources (reading/writing data, executing commands, etc.). Typical scenarios include remote control of laptops, servers, or network devices, data exfiltration, mining, DDoS, and manipulation of critical infrastructure.

Enterprise intrusion detection usually focuses on unauthorized access to PCs, servers, and networks (both office and production). The most common foothold is a GetShell action, obtained via web uploads, RCE vulnerabilities, or planted backdoors.

While “insider” threats also involve unauthorized data handling, they are managed through internal risk controls (segregation of duties, dual‑approval, DLP) rather than intrusion‑detection mechanisms.

The core of intrusion detection is distinguishing malicious behavior from legitimate activity – essentially a binary classification problem (intrusion vs. non‑intrusion). Labeled intrusion samples are scarce, making supervised learning difficult; therefore, security engineers often rely on precise feature engineering or synthetic data generation.

Two main detection approaches are:

Pattern matching based on known malicious signatures (e.g., WebShell keywords).

Baseline modeling of normal business behavior and flagging anomalies.

Effective detection requires enumerating attack vectors and collecting the appropriate logs (HIDS, NIDS, WAF, RASP, application and system logs, etc.). Different services (SSH, RDP, MySQL, Redis, FTP, etc.) must be hardened or restricted to reduce the attack surface.

Web‑based intrusions remain the primary entry point; common tactics include uploading WebShells, exploiting file inclusion, and abusing code execution features. Monitoring WAF logs, access logs, and system calls is essential.

Zero‑day attacks share common post‑compromise behaviors (shell usage, lateral movement), so focusing on the GetShell stage can yield detection value even when the initial exploit is unknown.

Detection products fall into several categories:

Host agents (HIDS) – e.g., OSSEC, Qingting Cloud, Anquanke.

Network sensors (NIDS/NIPS) – e.g., Snort, commercial solutions.

Log aggregation and SIEM platforms – e.g., Splunk, LogRhythm.

Sandbox/APT analysis – e.g., FireEye, Palo Alto, Symantec.

Endpoint detection and response (EDR) – e.g., Bit9, SEP, Kaspersky.

Evaluation metrics include proactive detection rate, blue‑team detection rate, and coverage of known scenarios. Alert fatigue must be managed by de‑duplicating repeated alerts, providing clear risk descriptions, and ensuring actionable guidance.

Key success factors are data completeness, sensor reliability, accurate baseline data, and efficient ticketing/operation support. Without solid operational foundations, even the best models cannot reliably detect intrusions.

Advanced Persistent Threats (APTs) are hard to detect because they use stealthy, often zero‑day techniques. Current practice combines sandbox analysis, traffic anomaly detection, and UEBA to surface suspicious behavior.

AI has accelerated model development for tasks like WebShell detection, but the scarcity of high‑quality malicious samples limits performance. AI should complement, not replace, traditional feature engineering and expert knowledge.

Meituan Security’s team possesses extensive experience in penetration testing, web protection, binary and kernel security, distributed systems, and big‑data analytics. They are building a zero‑trust, multi‑cloud security architecture covering network, virtualization, OS, runtime, and application layers.

Recruitment: Meituan Security is hiring for web/binary offense‑defense, backend/system development, and machine‑learning/algorithm roles. Interested candidates should email [email protected].