I've been cobbling together Matrix questions and answers over the last few days. Most of these answers are from Xenon over in the official forums.
QUOTE (BunnyColvin @ Aug 7 2013, 02:05 PM)

Once you are in a host, how does the host find you? I know this seems a dumb question. For instance, to log into the host, you have to have 1 Mark (Per the Enter Host action). Having the mark means the host considers you to be a legitimate user. Even if you are running silent and the Patrol IC spots you, you still have the Mark, so you are legit as far as the IC is concerned.
It's possible (perhaps even wise) to create more than one mark before entering a host.
Patrol IC rolls (Host Rating x2) for its Matrix Perception check to find you.
There aren't clear rules as to when, exactly, this happens. I would have the IC check when you first enter and when you perform any action that adds to your OS. Note that an Attack action automatically alerts the Host to your presence (although not your exact location), so after an Attack action, I roll initiative and have the Patrol IC roll on every pass. If the IC spots you and you have a mark (which you presumably do), what happens next probably depends on the complexity of the host. For a super-secret UV host, finding anything running silent will probably be brought to a spider's attention. For a more common rating 5-6 host, I'd rule that it means that the host automatically knows where you are once you perform an Attack action--a decidedly bad thing. Note that Crack File is an Attack action that you almost inevitably have to perform.
QUOTE
Aside from Overwatch Score, it seems the only way the system can detect your illegal actions is when you screw up on a Hack on the Fly, or Attack action. It is only the mark gaining actions that seem to carry any risk (except for all illegal actions increasing your OS)
Yes, but it's very hard to run in any Host with any value without performing an Attack action (unless your meat team can convince a wageslave to cough up his passcodes, which could circumvent the need for the Crack File roll).
QUOTE
Attack Actions: It states when you use an attack action, the target knows it is under attack by another icon, but does not necessarily spot you. It goes on to state that it will search for you on its next action. Can a device search? What about the Host itself? Wouldn't the Host rely on its IC? And if you have marks on the host, even if the Patrol IC spots you, wouldn't you appear a legit user? Or is the IC smart enough to recognize your actions or does it rely on your status (marks).
A legit user does not perform an Attack action, so it doesn't matter how many marks you have on the host at that point. The only thing that can search for you, aside from a spider, is Patrol IC. I think it's reasonable for a host that knows it's under attack to have the Patrol IC use every available complex action to search for you (hence why I have them roll initiative at this point). Once the Patrol IC spots you, that information is instantly shared with the host, which in turn instantly shares it with all the other IC, even IC that have yet to show up on the scene. This is a very bad thing.
QUOTE
Last question: Direct Connections. Directly connecting to a slave allows you use its stats, not the host. But in the WAN section, it states that once you are in the WAN, you are directly connected to all devices that are part of the WAN. So if thats the case, if my decker connects to the outer Maglock of a facility of a host running a WAN, then I am directly connected to all devices in the WAN, thereby totally negating the Host's defenses for its devices? If that is the case, what is the point of the Host?
(BTW, this post is not a bash of the 5e system. I'm just trying to understand it better)
No, it just means that you can reach other parts of the host through the Maglock. If you want to spoof a door on the other side of the facility, you can, but you're still going to need to roll some dice. With more advanced groups running against harder targets, I almost never have security and data on the same WAN. To use older terminology, the CCSS rigger runs one system that includes the maglocks and the decker runs the other system that includes the paydata. This is an expensive option, and no corp is going to do this for every building, but it's something to consider for down the road.