Abstract not found

The Intrusion Detection System architectures commonly used in commercial and research systems have a number of problems that limit their congurability, scalability or efficiency. The most common shortcoming in the existing architectures is that they are built around a single monolithic entity that does most of the data collection and processing. In this paper, we review our architecture for a distributed Intrusion Detection System based on multiple independent entities working collectively. We call these entities Autonomous Agents. This approach solves some of the problems previously mentioned. We present the motivation and description of the approach, partial results obtained from an early prototype, a discussion of design and implementation issues, and directions for future work.

Misuse detection is the process of attempting to identify instances of network attacks by comparing current activity against the expected actions of an intruder. Most current approaches to misuse detection involve the use of rule-based expert systems to identify indications of known attacks. However, these techniques are less successful in identifying attacks which vary from expected patterns. Artificial neural networks provide the potential to identify and classify network activity based on limited, incomplete, and nonlinear data sources. We present an approach to the process of misuse detection that utilizes the analytical strengths of neural networks, and we provide the results from our preliminary analysis of this approach. Keywords: Intrusion detection, misuse detection, neural networks, computer security.

This paper describes the design and implementation of a protocol scrubber, a transparent interposition mechanism for explicitly removing network attacks at both the transport and application protocol layers. The transport scrubber supports downstream passive network-based intrusion detection systems; whereas the application scrubbing mechanism supports transparent fail-closed active network-based intrusion detection systems. The transport scrubber's role is to convert ambiguous network flows into well-behaved flows that are unequivocally interpreted by all downstream endpoints. As an example, this paper presents the implementation of a TCP/IP scrubber that eliminates insertion and evasion attacks -- attacks that use ambiguities to subvert detection -- on passive network-based intrusion detection systems, while preserving high performance. The application protocol scrubbing mechanism is used as a substrate for building fail-closed active network-based intrusion detections systems that can respond to attacks by eliding or modifying application data flows in real-time. This paper presents the high-performance implementation of a general purpose transparent application-level scrubbing toolkit in the FreeBSD kernel.

While the spread of the Internet has made the network ubiquitous, it has also rendered networked systems vulnerable to malicious attacks orchestrated from anywhere. These attacks or intrusions typically start with attackers infiltrating a network through a vulnerable host and then launching further attacks on the local network or Intranet. Attackers rely on increasingly sophisticated techniques like using distributed attack sources and obfuscating their network addresses. On the other hand, software that guards against them remains rooted in traditional centralized techniques, presenting an easily-targeted single point of failure. Scalable, distributed network intrusion prevention techniques are sorely needed.

It is becoming increasingly common for network devices to handle packets based on the contents of packet payloads. Example applications include intrusion detection, firewalls, web proxies, and layer seven switches. This paper analyzes the problem of intrusion detection and its reliance on fast string matching in packets. We show that the problem can be restructured to allow the use of more efficient string matching algorithms that operate on sets of patterns in parallel. We then introduce and analyze a new string matching algorithm that has average-case performance that is better than AhoCorasick, a popular linear-time algorithm and much better than the iterative use of Boyer-Moore currently used in the popular intrusion detection platform Snort. We then measure the actual performance of several search algorithms on actual packet traces and rulesets. Our results provide lessons on the structuring of content-based handlers, string matching algorithms in general, and the importance of performance to security.

Effective intrusion detection capability is an elusive goal, not solved easily or with a single mechanism. However, mobile software agents go a long way toward realizing the ideal behavior desired in an Intrusion Detection System (IDS). This paper is an initial look at the relatively unexplored terrain of using mobile agents for intrusion detection and response. It looks not only at the benefits derived from mobility, but also those associated with software agent technology. We explore these benefits in some detail and propose a number of innovative ways to apply agent mobility to address the shortcomings of current IDS designs and implementations. We also look at new approaches for automating response to an intrusion, once detected.

Abstract not found

This paper investigates the subject of intrusion detection over networks. Existing network-based IDS's are categorised into three groups and the overall architecture of each group is summarised and assessed. A new methodology to this problem is then presented, which is inspired by the human immune system and based on a novel artificial immune model. The architecture of the model is presented and its characteristics are compared with the requirements of network-based IDS's. The paper concludes that this new approach shows considerable promise for future network-based IDS's.

This paper presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view, signature, and view definition. A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures defined on the basis of it. This paper then presents a decen