Intrusion detection should be a function, not a product