The security of computer networks plays a strategic role in modern computer systems. In order to enforce high protection levels against threats, a number of software tools have been currently developed. Intrusion Detection Systems aim at detecting intruders who elude “first line ” protection. In this paper, a pattern recognition approach to network intrusion detection based on the fusion of multiple classifiers is proposed. Five decision fusion methods are as-sessed by experiments and their performances compared. The potentialities of classifier fu-sion for the development of effective intrusion detection systems are evaluated and discussed.

The Fuzzy Intrusion Recognition Engine (FIRE) is a network intrusion detection system that uses fuzzy systems to assess malicious activity against computer networks. The system uses an agent-based approach to separate monitoring tasks. Individual agents perform their own fuzzification of input data sources. All agents communicate with a fuzzy evaluation engine that combines the results of individual agents using fuzzy rules to produce alerts that are true to a degree. Several intrusion scenarios are presented along with the fuzzy systems for detecting the intrusions. The fuzzy systems are tested using data obtained from networks under simulated attacks. The results show that fuzzy systems can easily identify port scanning and denial of service attacks. The system can be effective at detecting some types of backdoor and Trojan horse attacks. 1.

Self-securing storage turns storage devices into active parts of an intrusion survival strategy. From behind a thin storage interface (e.g., SCSI or CIFS), a self-securing storage sen,er can watch storage requests, keep a record of all storage activity, and prevent compromised clients from destroying stored data. This paper describes three ways selfsecuring storage enhances an administrator's ability to detect, diagnose, and recover from client system intrusions. First, storage-based intrusion detection offers a new obsen,ation point for noticing suspect activity. Second, post-hoc intrusion diagnosis starts with a plethora of normally-unavailable information. Finally, post-intrusion recovery is reduced to restarting the system with a pre-intrusion storage image retained by the sensor. Combined, these features can improve an organization's ability to survive successful digital intrusions.

Abstract. The security of computer networks plays a strategic role in modern computer systems. In order to enforce high protection levels against threats, a number of software tools have been currently developed. Intrusion Detection Systems aim at detecting intruders who elude “first line ” protection. In this paper, a pattern recognition approach to network intrusion detection based on the fusion of multiple classifiers is proposed. In particular, a modular Multiple Classifier architecture is designed, where each module detects intrusions against one of the services offered by the protected network. Each Multiple Classifier System fuses the information coming from different feature representations of the patterns of network traffic. The potentialities of classifier fusion for the development of effective intrusion detection systems are evaluated and discussed. 1.

This research presents a new method for detecting network attacks based on network traffic signatures. It is part of a survivability architecture, which focuses on attack recognition, fault-tolerance and recovery after malicious acts. The attack recognition portion emphasizes low-level analysis of network traffic, high efficiency, real-time operation, and accurate identification of attacks. Attack recognition is based on the analysis of TCP protocol flags with respect to specific attacks and is characterized by its simplicity.

This paper describes a variation to the traditional intrusion detection approach motivated by longstanding challenges and recent trends in information security. Intrusion detection systems have historically focused on the protection of local resources by identifying signs of malicious activity that may help administrators prevent a break-in and limit its effects. Outbound intrusion detection focuses, not on preventing a host from being compromised, but on guaranteeing that the host will not be used as an attack launcher or intrusion relayer to compromise other systems. This approach leverages the quality of evidence available to a host regarding its own activity, and supports the idea of splitting up security monitoring into multiple, smaller tasks. We explain the motivation behind this idea by describing some limitations of intrusion detection technologies as well as some findings from security surveys. We also discuss the most relevant characteristics of the approach and outline the benefits it has from a research perspective. Keywords: Outbound Intrusion Detection, Security Monitoring, Information Security 1.

Most intrusion detection systems available today are using a single audit source for detecting all attacks, even though attacks have distinct manifestations in different parts of the system. In this paper we carry out a theoretical investigation of the role of the audit source for the detection capability of the intrusion detection system (IDS). Concentrating on web server attacks, we examine the attack manifestations available to intrusion detection systems at different abstraction layers, including a network-based IDS, an application-based IDS, and finally a host-based IDS. Our findings include that attacks indeed have different manifestations depending on the audit source used. Some audit sources may lack any manifestation for certain attacks, and, in other cases contain only events that are indirectly connected to the attack in question. This, in turn, affects the reliability of the attack detection if the intrusion detection system uses only a single audit source for collecting security-relevant events. Hence, we conclude that using a multisource detection model increases the probability of detecting a range of attacks directed toward the web server. We also note that this model should account for the detection quality of each attack / audit stream to be able to rank alerts.

The current Intrusion Detection System (IDS) technology is a major investment for a firm and its evaluation is desired prior to a commitment. A testbed compares different IDSs on a common platform. A major challenge in evaluating IDSs stems from the fact that they are generally tested in specific environments. A real-world environment could be different from the environment designed for a testbed. The results obtained, from such testbeds, may not be accurate and reliable. Hence, a quantitative and metrics based evaluation of IDSs is desired. We propose Testbed for evaluating Intrusion Detection Systems (TIDeS), that allows a user to select the best IDS for a specific customized environment. A quantitative analysis is provided by TIDeS, using fuzzy logic, under varying network loads. We also propose robust metrics to evaluate an IDS. We follow up with recommendations, based on our experience, on the general practices in the field of IDSs.

Abstract not found

A honeypot is used in the area of computer and Internet security. It is a resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques. It can also be used to attract and divert an attacker from the real targets. One goal of this paper is to show the possibilities of honeypots and their use in an educational as well as productive environment.