Network-based attacks are becoming more common and sophisticated. For this reason, intrusion detection systems are now shifting their focus from the hosts and their operating systems to the network itself. Network-based intrusion detection is challenging because network auditing produces large amounts of data, and dierent events related to a single intrusion may be visible in dierent places on the network. This paper presents a new approach that applies the State Transition Analysis Technique (STAT) to network intrusion detection. Network-based intrusions are modeled using state transition diagrams in which states and transitions are characterized in a networked environment. The target network environment itself is represented using a model based on hypergraphs. By using a formal model of both the network to be protected and the attacks to be detected the approach is able to determine which network events have to be monitored and where they can be monitored, providing automatic suppo...

Sharing data between widely distributed intrusion detection systems offers the possibility of significant improvements in speed and accuracy over isolated systems. In this paper, we describe and evaluate DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks); an architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. The overlay design enables DOMINO to be heterogeneous, scalable, and robust to attacks and failures. An important component of DOMINO’s design is the use of active sink nodes which respond to and measure connections to unused IP addresses. This enables efficient detection of attacks from spoofed IP sources, reduces false positives, enables attack classification and production of timely blacklists. We evaluate the capabilities and performance of DOMINO using a large set of intrusion logs collected from over 1600 providers across the Internet. Our analysis demonstrates the significant marginal benefit obtained from distributed intrusion data sources coordinated through a system like DOMINO. We also evaluate how to configure DOMINO in order to maximize performance gains from the perspectives of blacklist length, blacklist freshness and IP proximity. We perform a retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer epidemics that highlights how information exchange through DOMINO would have reduced the reaction time and false-alarm rates during outbreaks. Finally, we provide preliminary results from our prototype active sink deployment that illustrates the limited variability in the sink traffic and the feasibility of efficient classification and discrimination of attack types. 1

This dissertation explores an immunological model of distributed detection, called negative detection, and studies its performance in the domain of intrusion detection on computer networks. The goal of the detection system is to distinguish between illegitimate behaviour (nonself ), and legitimate behaviour (self ). The detection system consists of sets of negative detectors that detect instances of nonself; these detectors are distributed across multiple locations. The negative detection model was developed previously; this research extends that previous work in several ways. Firstly, analyses are derived for the negative detection model. In particular, a framework for explicitly incorporating distribution is developed, and is used to demonstrate that negative detection is both scalable and robust. Furthermore, it is shown that any scalable distributed detection system that requires communication (memory sharing) is always less robust than a system that does not require communication...

There is currently need for an up-to-date and thorough survey of the research in the eld of computer and network intrusion detection. This paper presents such a survey, with a taxonomy of intrusion detection system features, and a classi- cation of the surveyed systems according to the taxonomy. The conclusion is reached that current research interest should lie in the study of the e ectiveness of intrusion detection and how to handle attacks against the intrusion detection system itself.

While the spread of the Internet has made the network ubiquitous, it has also rendered networked systems vulnerable to malicious attacks orchestrated from anywhere. These attacks or intrusions typically start with attackers infiltrating a network through a vulnerable host and then launching further attacks on the local network or Intranet. Attackers rely on increasingly sophisticated techniques like using distributed attack sources and obfuscating their network addresses. On the other hand, software that guards against them remains rooted in traditional centralized techniques, presenting an easily-targeted single point of failure. Scalable, distributed network intrusion prevention techniques are sorely needed.

Security of computer systems is essential to their acceptance and utility. Computer security analysts use intrusion detection systems to assist them in maintaining computer system security. This paper deals with the problem of differentiating between masqueraders and the true user of a computer terminal. Prior efficient solutions are less suited to real time application, often requiring all training data to be labeled, and do not inherently provide an intuitive idea of what the data model means. Our system, called ADMIT, relaxes these constraints, by creating user profiles using semiincremental techniques. It is a real-time intrusion detection system with host-based data collection and processing. Our method also suggests ideas for dealing with concept drift and affords a detection rate as high as 80.3% and a false positive rate as low as 15.3%.

It is becoming increasingly common for network devices to handle packets based on the contents of packet payloads. Example applications include intrusion detection, firewalls, web proxies, and layer seven switches. This paper analyzes the problem of intrusion detection and its reliance on fast string matching in packets. We show that the problem can be restructured to allow the use of more efficient string matching algorithms that operate on sets of patterns in parallel. We then introduce and analyze a new string matching algorithm that has average-case performance that is better than AhoCorasick, a popular linear-time algorithm and much better than the iterative use of Boyer-Moore currently used in the popular intrusion detection platform Snort. We then measure the actual performance of several search algorithms on actual packet traces and rulesets. Our results provide lessons on the structuring of content-based handlers, string matching algorithms in general, and the importance of performance to security.

The current generation of centralized network intrusion detection systems (NIDS) have various limitations on their performance and effectiveness. In this paper, we argue that intrusion detection analysis should be distributed to network node IDS (NNIDS) running in hardware on the end hosts. An NNIDS can unambiguously inspect traffic to and from the host, and when implemented on the network interface hardware, can function independently of the host operating system to provide better protection with less overhead than software implementations. We discuss the computation and communication characteristics of typical software intrusion detection analysis tasks. Then, we describe our efforts in mapping these tasks to a hardware platform using COTS components including Intel IXP network processors and Xilinx Virtex FPGAs. We report the performance of our prototype NNIDS implementation and provide analysis on how the network processor architecture affects the performance. Our results show that the NNIDS can achieve high performance with a pipeline of processing stages and careful allocation of tasks to the most appropriate hardware resources. 1.

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : xv 1

Effective intrusion detection capability is an elusive goal, not solved easily or with a single mechanism. However, mobile software agents go a long way toward realizing the ideal behavior desired in an Intrusion Detection System (IDS). This paper is an initial look at the relatively unexplored terrain of using mobile agents for intrusion detection and response. It looks not only at the benefits derived from mobility, but also those associated with software agent technology. We explore these benefits in some detail and propose a number of innovative ways to apply agent mobility to address the shortcomings of current IDS designs and implementations. We also look at new approaches for automating response to an intrusion, once detected.