This paper describes a new approach to collecting real-time transaction information from a server application and forwarding the data to an intrusion detection system. While the few existing applicationbased intrusion detection systems tend to read log files, the proposed application-integrated approach uses a module coupled with the application to extract the desired information. The paper describes the advantages of this approach in general, and how it complements traditional network-based and host-based data collection methods. The most compelling benefit is the ability to monitor transactions that are encrypted when transported to the application and therefore not visible to network tra#c monitors. Further benefits include full insight into how the application interprets the transaction, and data collection that is independent of network line speed. To evaluate the proposed approach, we designed and implemented a data-collection module for the Apache Web server.

Abstract not found

This paper presents results of an empirical analysis of NATE (Network Analysis of Anomalous Traffic Events), a lightweight, anomaly based intrusion detection tool. Previous work was based on the simulated Lincoln Labs data set. Here, we show that NATE can operate under the constraints of real data inconsistencies. In addition, new TCP sampling and distance methods are presented. Differences between real and simulated data are discussed in the course of the analysis.

Secure electronic communication relies on cryptography. Even with perfect encryption, communication may be compromised without effective security protocols for key exchange, authentication, etc. We are now seeing proliferation of large secure environments characterized by high volume, encrypted traffic between principals, facilitated by Public Key Infrastructures (PKI). PKIs are dependent on security protocols. Unfortunately, security protocols are susceptible to subtle errors. To date, we have relied on formal methods to tell us if security protocols are effective. These methods do not provide complete or measurable protocol security. Security protocols are also subject to the same implementation and administrative vulnerabilities as communication protocols. As a result, we will continue to operate security protocols that have flaws. In this paper, we describe a method and architecture to detect intrusions in security protocol environments such as Public Key Infrastructures. Our method is based on classic intrusion detection techniques of knowledge-based and behavior-based techniques detection. 2 Section 1.

Intrusion detection systems usually operate at layer 3 or above on the TCP/IP stack because layer 2 protocols in local area networks are trusted. Current firewall technology has very limited capabilities at layer 2 for the very same reason. Historically the trust in layer 2 protocols has been based on physical access control to the network links. However, new applications of these protocols extend the range of layer 2 networks beyond the physical control of a single organization. Furthermore, the insider problem [5, 18] is among the most dangerous threats. We study the e#ects of denial of service attacks on a layer 2 routing protocol (the Rapid Spanning Tree Protocol) as perceived from the network layer. Important performance and resiliency degradation is observed in our experiments. We also consider another category of attacks, that we designate as topology engagement attacks, with which layer 2 tra#c snooping can be achieved without raising alerts at layer 3, defeating in this way the principle of tra#c separation of switched local area networks. Some measures aimed at mitigating the impact of these types of attacks are proposed. Finally we present some experiments to validate the e#ciency of the proposed countermeasures.

The literature holds a great deal of research in the intrusion detection area. Much of this describes the design and implementation of specific intrusion detection systems. While the main focus has been the study of different detection algorithms and methods, there are a number of other issues that are of equal importance to make these systems function well in practice. I believe that the reason that the commercial market does not use many of the ideas described is that there are still too many unresolved issues.

The problem of removing sensitive information from data before it is released publicly, or turned over to less trusted analysts, underlies much of the unwillingness to share data. The solution is to sanitize, or deidentify, parts of the data. When dealing with network addresses, the set of available addresses is finite. This limits some aspects of the sanitization. We analyze this problem in detail, and suggest approaches to ameliorate it. 1.

This paper reports the results of a research project which examines the feasibility of developing a machine-independent audit trail analyser (MIATA). MIATA is a knowledge based system which performs intelligent analysis of operating system audit trails. Such a system is proposed as a decision support tool for auditors when assessing the risk of unauthorised user activity in multi-user computer systems. It is also relevant to the provision of a continuous assurance service to clients by internal and external auditors. Monitoring user activity in system audit trails manually is impractical because of the vast quantity of events recorded in those audit trails. However, if done manually, an expert security auditor would be needed to look for 2 main types of events- user activity rejected by the system's security settings (failed actions) and user's behaving abnormally (e.g. unexpected changes in activity such as the purchasing clerk attempting to modify payroll data). A knowledge based system is suited to applications that require expertise to perform well-defined, yet complex, monitoring activities (e.g. controlling nuclear reactors and detecting intrusions in computer systems). To permit machine-independent intelligent audit trail analysis, an anomaly-detection approach is

The economic cost of publicly announced information security breaches: empirical evidence from the stock market ∗

This paper provides an introduction to auditing in an SAP R/3 environment, focusing primarily on the assessment of control risk. A number of distinguishing characteristics of the SAP R/3 system which affect the audit are described. The application of a standard internal control framework to the assessment of application controls is illustrated. Two significant pervasive general control areas are examined – system development and program maintenance, and user access control. Relevant controls in these areas are discussed. Methods for auditing these controls are outlined. Several opportunities for research in the auditing of SAP R/3 are introduced. 2 SAP R/3 belongs to the family of enterprise resource planning (ERP) systems. An ERP system has several distinctive characteristics [Norris et. al., (1998)]: • Multi-functional in scope – it tracks financial results (dollars), procurement (material), sales (people and goods) and manufacturing (people and resources);