Abstract: Concepts and technologies disclosed herein are for monitoring operational activities in networks and detecting potential network intrusions and misuses. According to one aspect disclosed herein, an intrusion detection system can collect logs from an authentication, authorization, and accounting system. The intrusion detection system can extract information from the logs, update intrusion detection information utilized by an intrusion detection rule based upon the information extracted from the logs, update a profile utilized by the intrusion detection rule, compare the profile and the intrusion detection rule against a running state of an on-going session, tag corresponding log entries with a threat score, calculate the threat scores from the corresponding log entries to create an aggregated threat score, and present the aggregated threat score. The intrusion detection system can also present an alarm if the aggregated threat score triggers an alarm condition.

Abstract: Concepts and technologies disclosed herein are for monitoring operational activities in networks and detecting potential network intrusions and misuses. According to one aspect disclosed herein, an intrusion detection system can collect logs from an authentication, authorization, and accounting system. The intrusion detection system can extract information from the logs, update intrusion detection information utilized by an intrusion detection rule based upon the information extracted from the logs, update a profile utilized by the intrusion detection rule, compare the profile and the intrusion detection rule against a running state of an on-going session, tag corresponding log entries with a threat score, calculate the threat scores from the corresponding log entries to create an aggregated threat score, and present the aggregated threat score. The intrusion detection system can also present an alarm if the aggregated threat score triggers an alarm condition.