A computer-implemented method includes identifying a data transmission session associated with a display-oriented data transmission scheme; identifying an outbound data stream associated with the data transmission session; and determining one or more protected fields associated with the outbound data stream. The computer-implemented method further includes determining a client attempt to write to at least one of the one or more protected fields; and in response to determining said client attempt, determining an intrusion detection report. A corresponding computer program product and computer system are also disclosed.