At 1980, JamesP. Anderson wrote a technical report entitled "Computer Security Threat Monitoring and Surveillance" to a confidential customer, pointing out that audit records can be used to identify computer abuse. He classified threats and expounded the concept of intrusion detection for the first time. From 1984 to 1986, DorothyDenning of Georgetown University and PeterNeumann of the Computer Science Laboratory of SRI Company developed a real-time intrusion detection system model-IDES (Intrusion Detection Expert System), which is the first system to use both statistics and rule-based technology in applications and the most influential system in intrusion detection research. 1989, ToddHeberlein of the University of California, Davis wrote a paper "ANetworkSecurityMonitor". This monitor is used to capture TCP/IP packets, and directly uses network traffic as the source of audit data for the first time, so it can monitor heterogeneous hosts without converting audit data into a unified format, and network intrusion detection is born.