scispace - formally typeset
Search or ask a question
Topic

Host-based intrusion detection system

About: Host-based intrusion detection system is a research topic. Over the lifetime, 2377 publications have been published within this topic receiving 61722 citations.


Papers
More filters
Proceedings Article
12 Nov 1999
TL;DR: Snort provides a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected.
Abstract: Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues.

3,490 citations

Journal ArticleDOI
TL;DR: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described, based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage.
Abstract: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.

3,369 citations

Proceedings Article
01 Jan 2003
TL;DR: This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.
Abstract: Today’s architectures for intrusion detection force the IDS designer to make a difficult choice If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance We achieve this through the use of a virtual machine monitor Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware We present a detailed study of our architecture, including Livewire, a prototype implementation We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks

1,629 citations

Proceedings ArticleDOI
01 Aug 2000
TL;DR: This paper examines the vulnerabilities of a wireless ad-hoc network, the reason why intrusion detection is needed, and the reasons why the current methods cannot be applied directly, and describes the new intrusion detection and response mechanisms that are developing for wirelessAd-Hoc networks.
Abstract: As the recent denial-of-service attacks on several major Internet sites have shown us, no open computer network is immune from intrusions. The wireless ad-hoc network is particularly vulnerable due to its features of open medium, dynamic changing topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. Many of the intrusion detection techniques developed on a fixed wired network are not applicable in this new environment. How to do it differently and effectively is a challenging research problem. In this paper, we first examine the vulnerabilities of a wireless ad-hoc network, the reason why we need intrusion detection, and the reason why the current methods cannot be applied directly. We then describe the new intrusion detection and response mechanisms that we are developing for wireless ad-hoc networks.

1,126 citations

01 Jan 1998
TL;DR: Three classes of attacks which exploit fundamentally problems with the reliability of passive protocol analysis are defined--insertion, evasion and denial of service attacks--and how to apply these three types of attacks to IP and TCP protocol analysis is described.
Abstract: : All currently available network intrusion detection (ID) systems rely upon a mechanism of data collection passive protocol analysis-which is fundamentally flawed In passive protocol analysis, the intrusion detection system (IDS) unobtrusively watches all traffic on the network, and scrutinizes it for patterns of suspicious activity We outline in this paper two basic problems with the reliability of passive protocol analysis: (1) there isn't enough information on the wire on which to base conclusions about what is actually happening on networked machines, and (2) the fact that the system is passive makes it inherently "fail-open," meaning that a compromise in the availability of the IDS doesn't compromise the availability of the network We define three classes of attacks which exploit these fundamentally problems---insertion, evasion and denial of service attacks--and describe how to apply these three types of attacks to IP and TCP protocol analysis We present the results of tests of the efficacy of our attacks against four of the most popular network intrusion detection systems on the market All of the ID systems tested were found to be vulnerable to each of our attacks This indicates that network ID systems cannot be fully trusted until they are fundamentally redesigned

988 citations


Network Information
Related Topics (5)
Server
79.5K papers, 1.4M citations
82% related
Wireless sensor network
142K papers, 2.4M citations
82% related
Key distribution in wireless sensor networks
59.2K papers, 1.2M citations
81% related
Encryption
98.3K papers, 1.4M citations
81% related
Wireless ad hoc network
49K papers, 1.1M citations
81% related
Performance
Metrics
No. of papers in the topic in previous years
YearPapers
20237
202212
20217
20209
20199
201814