detecting cracks


changes in outgoing bandwidth
changes in DNS usage
files/permissions changes
do not trust your own system to provide you with correct data
IDS
honey-pots
deal with information overflow