Intrusion detection systems and multisensor data fusion
TL;DR: The vast majority of security professionals would agree that real-time ID systems are not technically advanced enough to detect sophisticated cyberattacks by trained professionals, but these systems have not matured to a level where sophisticated attacks are reliably detected, verified, and assessed.
Abstract: The vast majority of security professionals would agree that real-time ID systems are not technically advanced enough to detect sophisticated cyberattacks by trained professionals. For example, during the Langley cyberattack the ID systems failed to detect substantial volumes of email bombs that crashed critical email servers. Coordinated efforts from various international locations were observed as hackers worked to understand the rules-based filter used in counterinformation operations against massive email bomb attacks [1]. At the other end of the technical spectrum, false alarms from ID systems are problematic, persistent, and preponderant. Numerous systems administrators have been the subject of an ID system reporting normal work activities as hostile actions. These types of false alarms result in financial losses to organizations when technical resources are denied access to computer systems or security resources are misdirected to investigate nonintrusion events. In addition, when systems are prone to false alarms, user confidence is marginalized and misused systems are poorly maintained and underutilized. ID systems that examine operating system audit trails, or network traffic [3, 8] and other similar detection systems, have not matured to a level where sophisticated attacks are reliably detected, verified, and assessed. Comprehensive and reliable systems are complex and the technological designs of these advanced
Citations
More filters
TL;DR: This paper surveys each of the localization techniques that can be used to localize vehicles and examines how these localization techniques can be combined using Data Fusion techniques to provide the robust localization system required by most critical safety applications in VANets.
639 citations
Cites background from "Intrusion detection systems and mul..."
...Lately, these mechanisms have been used in previously unpredicted applications such as intrusion detection [45] and Denial of Service (DoS) detection [46]....
[...]
TL;DR: This work surveys the current state-of-the-art of information fusion by presenting the known methods, algorithms, architectures, and models, and discusses their applicability in the context of wireless sensor networks.
Abstract: Wireless sensor networks produce a large amount of data that needs to be processed, delivered, and assessed according to the application objectives. The way these data are manipulated by the sensor nodes is a fundamental issue. Information fusion arises as a response to process data gathered by sensor nodes and benefits from their processing capability. By exploiting the synergy among the available data, information fusion techniques can reduce the amount of data traffic, filter noisy measurements, and make predictions and inferences about a monitored entity. In this work, we survey the current state-of-the-art of information fusion by presenting the known methods, algorithms, architectures, and models of information fusion, and discuss their applicability in the context of wireless sensor networks.
606 citations
Cites methods from "Intrusion detection systems and mul..."
...Lately, these mechanisms have been used in new applications such as intrusion detection [Bass 2000] and Denial of Service (DoS) detection [Siaterlis and Maglaris 2004]....
[...]
Patent•
27 Apr 2001
TL;DR: In this article, the authors present a fusion engine that can identify relationships between one or more real-time, raw computer events as they are received in realtime, and assess and rank the risk of realtime raw events as well as mature correlation events.
Abstract: A security management system includes a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.
452 citations
Patent•
28 Aug 2001
TL;DR: An analytical virtual machine (AVM) as discussed by the authors analyzes computer code using a software processor including a register that stores behavior flags indicative of behaviors identified by virtually executing the code within the virtual machine.
Abstract: An analytical virtual machine (AVM) analyzes computer code using a software processor including a register that stores behavior flags indicative of behaviors identified by virtually executing the code within the virtual machine. The AVM includes a sequencer that stores the sequence in which behavior flags are set in the behavior flags register. The AVM analyzes machine performance by emulating execution of the code being analyzed on a fully virtual machine and records the observed behavior. When emulation and analysis are complete, the AVM returns the behavior flags register and sequencer to the real machine and terminates.
298 citations
14 Mar 2004
TL;DR: A two-tier architecture is introduced: the first tier is an unsupervised clustering algorithm which reduces the network packets payload to a tractable size and the second tier is a traditional anomaly detection algorithm, whose efficiency is improved by the availability of data on the packet payload content.
Abstract: With the continuous evolution of the types of attacks against computer networks, traditional intrusion detection systems, based on pattern matching and static signatures, are increasingly limited by their need of an up-to-date and comprehensive knowledge base. Data mining techniques have been successfully applied in host-based intrusion detection. Applying data mining techniques on raw network data, however, is made difficult by the sheer size of the input; this is usually avoided by discarding the network packet contents.In this paper, we introduce a two-tier architecture to overcome this problem: the first tier is an unsupervised clustering algorithm which reduces the network packets payload to a tractable size. The second tier is a traditional anomaly detection algorithm, whose efficiency is improved by the availability of data on the packet payload content.
295 citations
Cites background from "Intrusion detection systems and mul..."
...It is important to note that, since failures and strengths of such approaches are symmetric, some systems try to integrate different approaches [26], but there are difficult and intriguing problems of metrics, fusion and normalization when working on data coming from different sources, somehow tied to the “multisensor data fusion” problems already under consideration in the field of robotics [2]....
[...]
References
More filters
TL;DR: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described, based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage.
Abstract: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.
3,369 citations
"Intrusion detection systems and mul..." refers background in this paper
...One of the first challenges is to extend the groundwork introduced by Denning in [3] to develop a structured metalanguage for generic ID–network management objects....
[...]
...Technical writers on ID systems often cite Denning’s 1987 seminal ID model [3] built on host-based subject profiles, systems objects, audit logs, anomaly records, and activity rules....
[...]
...ID systems that examine operating system audit trails, or network traffic [3, 8] and other similar detection systems, have not matured to a level where sophisticated attacks are reliably detected, verified, and assessed....
[...]
Book•
05 Dec 1996
TL;DR: This book discusses distributed detection systems, Bayesian Detection Theory, Information Theory and Distributed Hypothesis Testing, and the role of data compression in the development of knowledge representation.
Abstract: 1 Introduction.- 1.1 Distributed Detection Systems.- 1.2 Outline of the Book.- 2 Elements of Detection Theory.- 2.1 Introduction.- 2.2 Bayesian Detection Theory.- 2.3 Minimax Detection.- 2.4 Neyman-Pearson Test.- 2.5 Sequential Detection.- 2.6 Constant False Alarm Rate (CFAR) Detection.- 2.7 Locally Optimum Detection.- 3 Distributed Bayesian Detection: Parallel Fusion Network.- 3.1 Introduction.- 3.2 Distributed Detection Without Fusion.- 3.3 Design of Fusion Rules.- 3.4 Detection with Parallel Fusion Network.- 4 Distributed Bayesian Detection: Other Network Topologies.- 4.1 Introduction.- 4.2 The Serial Network.- 4.3 Tree Networks.- 4.4 Detection Networks with Feedback.- 4.5 Generalized Formulation for Detection Networks.- 5 Distributed Detection with False Alarm Rate Constraints.- 5.1 Introduction.- 5.2 Distributed Neyman-Pearson Detection.- 5.3 Distributed CFAR Detection.- 5.4 Distributed Detection of Weak Signals.- 6 Distributed Sequential Detection.- 6.1 Introduction.- 6.2 Sequential Test Performed at the Sensors.- 6.3 Sequential Test Performed at the Fusion Center.- 7 Information Theory and Distributed Hypothesis Testing.- 7.1 Introduction.- 7.2 Distributed Detection Based on Information Theoretic Criterion.- 7.3 Multiterminal Detection with Data Compression.- Selected Bibliography.
1,785 citations
Book•
01 Feb 1992
TL;DR: This invaluable reference shows how to implement a data fusion system, describes the process for algorithm selection, functional architectures and requirements for ancillary software, and illustrates man-machine interface requirements an database issues.
Abstract: From the Publisher:
This invaluable reference offers the most comprehensive introduction available to the concepts of multisensor data fusion It introduces key algorithms, provides advice on their utilization, and raises issues associated with their implementation With a diverse set of mathematical and heuristic techniques for combining data from multiple sources, the book shows how to implement a data fusion system, describes the process for algorithm selection, functional architectures and requirements for ancillary software, and illustrates man-machine interface requirements an database issues
1,443 citations
"Intrusion detection systems and mul..." refers background or methods in this paper
...Also required for cyber ID systems are complex error analysis algorithms and stochastic models for noise and false alarm estimation [5]....
[...]
...Hall [5] discusses mathematical techniques for multisensor data fusion....
[...]
...Data fusion has also emerged in commercial applications such as robotics, manufacturing, medical diagnosis, and remote sensing [5]....
[...]
...The application of data fusion in technical systems requires mathematical and heuristic techniques from fields such as statistics, AI, operations research, digital signal processing, pattern recognition, cognitive psychology, information theory, and decision theory [5]....
[...]
TL;DR: In this paper, a survey of host-based and network-based intrusion detection systems is presented, and the characteristics of the corresponding systems are identified, and an outline of a statistical anomaly detection algorithm employed in a typical IDS is also included.
Abstract: Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The intrusion detection problem is becoming a challenging task due to the proliferation of heterogeneous computer networks since the increased connectivity of computer systems gives greater access to outsiders and makes it easier for intruders to avoid identification. Intrusion detection systems (IDSs) are based on the beliefs that an intruder's behavior will be noticeably different from that of a legitimate user and that many unauthorized actions are detectable. Typically, IDSs employ statistical anomaly and rulebased misuse models in order to detect intrusions. A number of prototype IDSs have been developed at several institutions, and some of them have also been deployed on an experimental basis in operational systems. In the present paper, several host-based and network-based IDSs are surveyed, and the characteristics of the corresponding systems are identified. The host-based systems employ the host operating system's audit trails as the main source of input to detect intrusive activity, while most of the network-based IDSs build their detection mechanism on monitored network traffic, and some employ host audit trails as well. An outline of a statistical anomaly detection algorithm employed in a typical IDS is also included. >
962 citations
Book•
19 Aug 1990TL;DR: This new edition is now in two volumes and contains nine new chapters and focuses on the most recent developments in the fusion of data in a variety of applications from military to automotive to medical.
Abstract: Expanding the scope of the bestselling first edition, this new edition is now in two volumes It contains nine new chapters and focuses on the most recent developments in the fusion of data in a variety of applications from military to automotive to medical It provides information on mathematical techniques and computer methods employed to perform fusion The set includes new material on target tracking and identification, situation refinement, consequence prediction, resource allocation and refinement, and human computer interaction and cognitive support It provides new material on engineering issues such as fusion in distributed network systems, information security, and issues with service-oriented architectures
961 citations