Showing papers by "Richard P. Lippmann published in 2001"

1999 DARPA Intrusion Detection Evaluation: Design and Procedures

Abstract: : Recent DARPA Intrusion Detection (ID) and Strategic Intrusion Assessment (SIA) programs have funded development of new approaches to intrusion detection. The Information Systems Technology Group at MIT Lincoln Laboratory assisted this research with off-line evaluations of these new Systems in 1998 and 1999. These evaluations measured detections and false alarm rates of the intrusion detection systems. Eight research sites participated in the second annual evaluation. A network testbed was developed for this evaluation. It included host computers that were attacked and recently-developed traffic generators that produced live traffic modeled after a small Air Force base. This traffic appears as if it were generated by hundreds of users and thousands of hosts. More than 200 instances of 58 attack types were launched against victim UNIX and Windows NT hosts in three weeks of training data and two weeks of test data. Objectives of this effort were to support algorithm development, perform a blind, off-line evaluation of intrusion detection approaches. and help DARPA guide research directions. This technical report describes the testbed design and operation, background traffic modeling and generation, attack modeling and automation, and the scoring procedure. Results of the 1999 evaluation are discussed in a separate technical report entitled "Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation."

Extending the DARPA off-line intrusion detection evaluations

Abstract: The 1998 and 1999 DARPA off-line intrusion detection evaluations assessed the performance of intrusion detection systems using realistic background traffic and many examples of realistic attacks. This paper discusses three extensions to these evaluations. First, the Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) has been developed to simplify intrusion detection development and evaluation. LARIAT allows researchers and operational users to rapidly configure and run real-time intrusion detection and correlation tests with robust background traffic and attacks in their laboratories. Second, "Scenario Datasets" have been crafted to provide examples of multiple component attack scenarios instead of the atomic attacks as found in past evaluations. Third, extensive analysis of the 1999 evaluation data and results has provided understanding of many attacks, their manifestations, and the features used to detect them. This analysis is used to develop models of attacks, intrusion detection systems, and intrusion detection system alerts. Successful models could reduce the need for expensive experimentation, allow proof-of-concept analysis and simulations, and form the foundation of a theory of intrusion detection.

Detecting and displaying novel computer attacks with Macroscope

Abstract: Macroscope is a network-based intrusion detection system that uses bottleneck verification (BV) to detect user-to-superuser attacks. BV detects novel computer attacks by looking for users performing high privilege operations without passing through legal "bottleneck" checkpoints that grant those privileges. Macroscope's BV implementation models many common Unix commands, and has extensions to detect intrusions that exploit trust relationships, as well as previously installed Trojan programs. BV performs at a false alarm rate more than two orders of magnitude lower than a reference signature verification system, while simultaneously increasing the detection rate from roughly 20% to 80% of user-to-superuser attacks.