The attacker has a lot of advantages on the Internet; he or she may be hard to trace and may have a great deal of time and equipment to spend mapping out a network's weak points before they launch an attack. Worms and viruses may be able to exploit weaknesses very rapidly before a human can carry out a proper incident response. However, the defender has two big advantages. Firstly, the administrator can achieve excellent visibility of what is happening on their network, via logs, audit trails and other monitoring systems. The second advantage is domain knowledge - the defender should have a good idea of what traffic can be expected from the various computers on the network, which makes it easier to detect attacks.
This document is in PDF format. To view it click here.