Showing papers on "Host-based intrusion detection system published in 2000"

Intrusion detection in wireless ad-hoc networks

Abstract: As the recent denial-of-service attacks on several major Internet sites have shown us, no open computer network is immune from intrusions. The wireless ad-hoc network is particularly vulnerable due to its features of open medium, dynamic changing topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. Many of the intrusion detection techniques developed on a fixed wired network are not applicable in this new environment. How to do it differently and effectively is a challenging research problem. In this paper, we first examine the vulnerabilities of a wireless ad-hoc network, the reason why we need intrusion detection, and the reason why the current methods cannot be applied directly. We then describe the new intrusion detection and response mechanisms that we are developing for wireless ad-hoc networks.

The 1999 DARPA off-line intrusion detection evaluation

Abstract: Eight sites participated in the second Defense Advanced Research Projects Agency (DARPA) off-line intrusion detection evaluation in 1999. A test bed generated live background traffic similar to that on a government site containing hundreds of users on thousands of hosts. More than 200 instances of 58 attack types were launched against victim UNIX and Windows NT hosts in three weeks of training data and two weeks of test data. False-alarm rates were low (less than 10 per day). The best detection was provided by network-based systems for old probe and old denial-of-service (DoS) attacks and by host-based systems for Solaris user-to-root (U2R) attacks. The best overall performance would have been provided by a combined system that used both host- and network-based intrusion detection. Detection accuracy was poor for previously unseen, new, stealthy and Windows NT attacks. Ten of the 58 attack types were completely missed by all systems. Systems missed attacks because signatures for old attacks did not generalize to new attacks, auditing was not available on all hosts, and protocols and TCP services were not analyzed at all or to the depth required. Promising capabilities were demonstrated by host-based systems, anomaly detection systems and a system that performs forensic analysis on file system data.

Intrusion detection using autonomous agents

Abstract: AAFID is a distributed intrusion detection architecture and system, developed in CERIAS at Purdue University. AAFID was the first architecture that proposed the use of autonomous agents for doing intrusion detection. With its prototype implementation, it constitutes a useful framework for the research and testing of intrusion detection algorithms and mechanisms. We describe the AAFID architecture and the existing prototype, as well as some design and implementation experiences and future research issues. ” 2000 Elsevier Science B.V. All rights reserved.

Infrastructure for intrusion detection and response

Abstract: Automated response to intrusions has become a major issue in defending critical systems. Because the adversary can take actions at computer speeds, systems need the capability to react without human intervention. An infrastructure that supports development of automated response systems is critically needed. This infrastructure must allow easy integration of detection and response components to enable experimentation with automated response strategies. This paper provides an overview of the intruder detection and isolation protocol (IDIP) architecture and how it supports the need for an intrusion detection and response infrastructure.

User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement.

Abstract: Several new approaches for detecting malicious attacks on computer systems and/or confining untrusted or malicious applications have emerged over the past several years. These techniques often rely on the fact that when a system is attacked from a remote location over a network, damage can ultimately be inflicted only via system calls made by processes running on the target system. This factor has lead to a surge of interest in developing infrastructures that enable secure interception and modification of system calls made by processes running on the target system. Most known approaches for solving this problem have relied on an in-kernel approach, where the interception mechanisms as well as the intrusion detection/confinement systems are implemented within the operating system kernel. We explore an alternative approach that uses mechanisms provided by most variants of the UNIX operating system to implement system call interposition at user level, where the system calls made by one process are monitored by another process. Some of the key problems that need to solved in developing such an approach are: providing adequate set of capabilities in the infrastructure, portability of the security enhancements and the infrastructure itself across different operating systems, and minimizing performance overheads associated with interception for a wide range of applications. We present a solution that satisfactorily addresses these issues, and can thus lead to a platform for rapid development and deployment of robust intrusion detectors, confinement systems and other application-specific security en-

The STAT tool suite

Abstract: Describes a suite of intrusion detection tools developed by the Reliable Software Group at the University of California at Santa Barbara (UCSB). The tool suite is based on the state transition analysis technique (STAT), in which computer penetrations are specified as sequences of actions that cause transitions in the security state of a system. This general approach has been extended and tailored to perform intrusion detection in different domains and environments. The most recent STAT-based intrusion detection systems were developed following a framework-based approach, and the resulting design uses a "core" module that embodies the domain-independent characteristics of the STAT approach. This generic core is extended in a well-defined way to implement intrusion detection systems for different domains and environments. The approach supports software reuse, portability and extendibility, and it allows for the optimization of critical functionalities.

Adaptive Model Generation for Intrusion Detection Systems

Abstract: In this paper, we present adaptive model generation, a method for automatically building detection models for data-mining based intrusion detection systems. Using the same data collected by intrusion detection sensors, adaptive model generation builds detection models on the fly. This significantly reduces the deployment cost of an intrusion detection system because it does not require building a training set. We present a real time system architecture and efficient implementation of automatic model generation. The system uses a model building algorithm that builds anomaly detection models over noisy data. We evaluate the system using the DARPA Intrusion Detection Evaluation data and show an increase in detection performance as more data is collected by the sensors.

Method of communications and communication network intrusion protection methods and intrusion attempt detection system

Abstract: A method, system and computer readable medium for protecting a communications device connected to a communications system against an unauthorized intrusion, including providing a variable identifier to the communications device and entities authorized access thereto. The variable identifier is provided to a user address book and assigned with a permanent identifier and the permanent identifier, but not the variable identifier, is available to a user. The presence or absence of the correct variable identifier is sensed during an attempt to access the communications device for granting or denying access to the communications device. A new variable identifier is periodically provided to the communications device and to the authorized entities and to the user address book and assigned with the permanent identifier, wherein the permanent identifier, but not the new variable identifier, is available to the user.

CARDS: A Distributed System for Detecting Coordinated Attacks

Abstract: A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determining what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and how to correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Response and Detection System (CARDS). CARDS uses a signature-based model for resolving these issues. It consists of signature managers, monitors, and directory services. The system collects data in a flexible, distributed manner, and the detection process is decentralized among various monitors and is event-driven. The paper also discusses related implementation issues.

Data collection mechanisms for intrusion detection systems

Abstract: Drawing from the experience obtained during the development and testing of a distributed intrusion detection system, we reect on the data collection needs of intrusion detection systems, and on the limitations that are faced when using the data collection mechanisms built into most operating systems. We claim that it is best for an intrusion detection system to be able to collect its data by looking directly at the operations of the host, instead of indirectly through audit trails or network packets. Furthermore, for collecting data in an ecient, reliable and complete fashion, incorporation of monitoring mechanisms in the source code of the operating system and its applications is needed.

Windows NT Attacks for the Evaluation of Intrusion Detection Systems

Abstract: : The 1999 DARPA Off-Line Intrusion Detection Evaluation provided a standard corpus for evaluating intrusion detection systems. It improved on the 1998 evaluation by providing training data containing no attacks to train anomaly detection systems, scoring systems on attack identification in addition to attack detection, simplifying scoring and verification procedures, providing a written security policy, and performing more detailed analysis of missed detections and false alarms. It also introduced more stealthy attacks, insider attacks, and attacks against the Windows NT operating system. The focus of this thesis is the integration of Windows NT systems, background traffic, and attacks into the 1999 evaluation. Three Windows NT systems were added to the original test bed network: a victim machine, an outside attacker machine, and an insider attacker machine. The victim machine is a server with 92 user accounts, telnet, FTP, email, and web services, and security auditing. UNIX scripts from the 1998 evaluation were modified to create Windows NT background traffic. In addition, web traffic originating from the server was automated by developing a Javascript program called AutoBrowser. A realistic and relatively comprehensive set of 12 Windows NT attacks was developed for the 1999 evaluation. The set includes denial-of-service attacks, remote-to-local attacks, user-to-root attacks, probe attacks, insider attacks, console-based attacks, a man-in-the-middle attack, and an attack using macro code in a Microsoft application. Signatures in network traffic and Windows NT host data were analyzed for each attack. A PERL program called NTAD (ntaudit-detect.pl) was developed to evaluate the detectability of the Windows NT attacks in audit log data. NTAD successfully used the attack signatures to detect attack instances in Windows NT audit logs collected during the evaluation.

A denial-of-service resistant intrusion detection architecture

Abstract: As the capabilities of intrusion detection systems (IDSs) advance, attackers may disable organizations’ IDSs before attempting to penetrate more valuable targets. To counter this threat, we present an IDS architecture that is resistant to denial-of-service (DOS) attacks. The architecture frustrates attackers by making IDS components invisible to attackers’ normal means of “seeing” in a network. Upon a successful attack, the architecture allows IDS components to relocate from attacked hosts to operational hosts thereby mitigating the attack. These capabilities are obtained by using mobile agent technology, utilizing network topology features, and by restricting the communication allowed between different types of IDS components.

Intrusion detection inter-component adaptive negotiation

Abstract: The intrusion detection inter-component adaptive negotiation (IDIAN) project has developed a negotiation protocol to allow a distributed collection of heterogeneous intrusion detection (ID) components to inter-operate and reach agreement on each other's ID information processing capabilities and needs. The negotiation, moreover, is dynamic, so the information generated and processed can evolve as the intrusion detection system (IDS) evolves and as the environment changes. This paper describes IDIAN extensions to the common intrusion specification language (viz., GIDO filters), the negotiation protocol itself, a load model used to measure computing load on a system due to the use of ID services, and a demonstration of the protocol.

Floating intrusion detection platforms

Abstract: The present invention is a “floating” intrusion detection system that can use any computer on the network as an intrusion detection platform. A software agent program called a “socket” is installed on each computer that is to be available to be an intrusion detection platform. A central server contains intrusion detection software as well as a database containing knowledge based rules and profiles for detecting intrusions. The central server can contact any computer that has a socket installed and direct that computer to become an intrusion detection platform. The selected computer then downloads, installs, and runs the intrusion detection software thus becoming an intrusion detection platform. Once the need has passed the central server can direct some of the platforms to stop running the software and return to their normal state.

RECON-a tool for incident detection, tracking and response

Abstract: Recent discussions on the state of Intrusion Detection Systems and Network Security Tools has prompted the notion that what is needed is a solution that can fuse data from heterogeneous distributed network and host sensors; supports sophisticated analysis models and automated responses; provides the user with the appropriate 'situational awareness' so that efforts can be focussed on the right problems; is "enterprise-aware". This paper presents some key concepts for such a solution by describing a tool, code named RECON, which is a result of extensive research and prototyping performed on an adaptive network security management framework funded by DARPA. This research indicates that in order for RECON to satisfy the stated requirements, it would need a standard message format and protocol; an analytical engine such as a rule-base; a flexible and extensible architecture; a graphical user interface that provides a unified view of various levels of information; a language to capture 'enterprise' rules.

Distributed Intrusion Detection for Computer Systems Using Communicating Agents

Abstract: This paper appeared in the Proceedings of the 2000 Command and Control Research and Technology Symposium (CCRTS), Monterey, CA, June 11-13, 2000, and won the award for “Best Paper”.

An immunological approach to intrusion detection

Abstract: This paper presents an examination of intrusion detection schemes. It discusses traditional views of intrusion detection, and examines the more novel, but perhaps more effective, approach to intrusion detection as modeled on the human immune system. The discussion looks at some of the implications raised by intrusion detection research for information security in general.

HIDSUR: a hybrid intrusion detection system based on real-time user recognition

Abstract: The fast expansion of inexpensive computer networks has increased the problem of unauthorized access and tampering with data. As a response to increased threats many intrusion detection systems (IDSs) have been developed to serve as a last line of defense in the overall protection scheme of a computer system. We present an architecture of a hybrid intrusion detection system based on real-time user recognition. The user recognition that deploys online learning exposes different kinds of misuse attempts that become apparent as anomalous activities in the system. We present the architecture of our system that combines anomaly and misuse intrusion detection in a hybrid system that tries to take advantage of the best practices of both misuse and anomaly detection approaches.

Improving Network Security Using Ntop

Abstract: Ntop has been originally designed as an open source, web-based traffic measurement and monitoring application, easy to deploy by network administrators. As ntop has been used for analysing traffic patters, some users requestes some facilities for classifying traffic hence recognising specific attacks. In order to address these requests, the authors decided to extend ntop adding an embedded NDIS (Network Intrusion Detection System). What makes ntop NIDS unique from other available NDIS is its knowledge of the monitored network. While capturing packets, ntop learns network topology and hosts relationships (i.e. routers, DNS, networks) and stores this information in a network knowledge database. This knowledge is dynamic and not specified at ntop start-up by means of configuration files. For instance, if host X successfully routes packets for host Y, then ntop assumes that X is a router for host Y. Similarly, if host K sends packets with different source IP addresses and a single MAC (Media Access Control) address, then K has enabled multihoming support. Ntop knowledge database is updated as new packets are captured and is not static whatsoever.

Intelligent multi-agent system for intrusion detection and countermeasures

Abstract: Intelligent mobile agent systems offer a new approach to implementing intrusion detection systems (IDS). The prototype intrusion detection system, MAIDS, demonstrates the benefits of an agent-based IDS, including distributing the computational effort, reducing the amount of information sent over the network, platform independence, asynchronous operation, and modularity offering ease of updates. Anomaly detection agents use machine learning techniques to detect intrusions; one such agent processes streams of system calls from privileged processes. Misuse detection agents match known problems and correlate events to detect intrusions. Agents report intrusions to other agents and to the system administrator through the graphical user interface (GUI). A sound basis has been created for the intrusion detection system. Intrusions have been modeled using the Software Fault Tree Analysis (SFTA) technique; when augmented with constraint nodes describing trust, contextual, and temporal relationships, the SFTA forms a basis for stating the requirements of the intrusion detection system. Colored Petri Nets (CPN) have been created to model the design of the Intrusion Detection System. Algorithmic transformations are used to create CPN templates from augmented SFT and to create implementation templates from CPNs. The implementation maintains the CPN semantics in the distributed agent-based intrusion detection system.

Agent based intrusion tolerance using fragmentation-redundancy-scattering technique

Abstract: In this paper we concentrate on one aspect of information system security, namely that of intrusion tolerance. An intrusion tolerant system is one that continues to function correctly and provide the intended user services in a timely manner even in the face of an information attack. In this paper we concentrate on a technique called fragmentation-redundancy-scattering and investigate as to how agents can be used with this technique to make a system more intrusion tolerant. An algorithm to perform fragmentation and scattering of the file(s) in an optimal manner is also given.

Doing intrusion detection using embedded sensors| Thesis proposal

Abstract: Intrusion detection systems have usually been developed using large host-based components. These components impose an extra load on the system where they run (sometimes even requiring a dedicated system) and are subject to tampering or disabling by an intruder. Additionally, intrusion detection systems have usually obtained information about host behavior through indirect means, such as audit trails or network packet traces. This potentially allows intruders to modify the information before the intrusion detection system obtains it, making it possible for an intruder to hide his activities. In this document I propose work that will attempt to show that it is possible to perform intrusion detection using small sensors embedded in a computer system. These sensors will look for signs of specic intrusions. They will perform target monitoring by observing the behavior of the system directly, instead of through an audit trail or other indirect means. Furthermore, by being built into the code of the operating system and its programs, they may not impose a considerable extra load on the host they monitor. I will also explore the possibility of applying a group of sensors built to detect known intrusions, to detecting new intrusions. If this is shown to be possible, it would be a step towards determining the types of data that need to be collected to successfully detect new intrusions. The work I propose is divided in four stages: a) building the necessary infrastructure for the implementation of the sensors, b) implementing sensors for detecting known intrusions, c) testing new attacks against the group of implemented sensors, and d) performing analysis on the data obtained in step (c) to determine if the existing sensors can be used to detect new attacks.

On real-time intrusion detection and source identification

Abstract: This thesis work consists of two distinct parts: a study of real-time intrusion detection on network link-state routing protocol attacks (Part I), and a study of source identification for spoofed IP packets (Part II). These two parts could be united into a common framework consisting of an intrusion detection system and an intrusion response system. However, in many ways they are distinct and self-contained. In Part I, a real-time knowledge-based network intrusion detection model for a link-state routing protocol is presented to detect different attacks for the OSPF protocol. This model includes three layers: a data process layer to parse packets and dispatch data, an event abstractor to abstract predefined real-time events for the link-state routing protocol, and an extended timed finite state machine (FSM) to express the real-time behavior of the protocol engine and to detect the intrusions by pattern matching. The timed FSM named JiNao Finite State Machine (JFSM) is extended from the conventional FSM with timed states, multiple timers, and time constraints on state transitions. The JFSM is implemented as a generator which can create any FSM according to a description in a configuration file. The results show that this approach is very effective for real-time intrusion detection. This approach can be extended for use in other network protocol intrusion detection systems, especially for those with known attacks. In Part II, a security management framework, the Decentralized Source Identification System (DECIDUOUS), is presented to identify the “true” sources of network-based intrusions. The premise of this approach is that if an attack packet has been correctly authenticated by a certain router, the attack packet must have been transmitted through that router. It utilizes IPSec security associations to dynamically deploy secure authentication tunnels in order to further trace down the possible attackers' locations. We present the algorithms to support the tracing of multiple attacks launched from different locations, even across several administrative domains. Our results show that the DECIDUOUS system is reasonably efficient, flexible and robust. Our approach could serve as the basis for future research on different tracing strategies for different types of attacks in large-scale networks.

Attack tolerant enhancement of intrusion detection systems

Abstract: Many approaches have been proposed for intrusion detection. This paper suggests that an intrusion detection system (IDS) must be fault tolerant; otherwise, the intruder may first subvert the IDS then attack the target system at will. This paper proposes a system architecture to enhance the attack tolerance of IDS.

Detecting Signs of Intrusion

Abstract: : This security improvement module, Detecting Signs of Intrusion, describes practices involved in preparing to detect and detecting intrusions into networked computer systems. The practices are designed to help network and system administrators prepare for and detect intrusions by looking for unexpected or suspicious behavior and then recognizing "fingerprints" of known intrusion methods.

Intrusion tolerance schemes to facilitate mobile e-commerce

Abstract: In this paper, we concentrate on one aspect of information system security, namely that of intrusion tolerance. An intrusion tolerant system is one that continues to function correctly and provide the intended user services in a timely manner even in the face of an information attack. In this paper we concentrate on a technique called fragmentation-redundancy-scattering and investigate how this technique can be used in a mobile environment. We also provide different schemes towards ensuring intrusion tolerance in a mobile system.

Research on Network Intrusion Detection System RIDS

Abstract: Intrusion Detection is a newly developed area of network security The main issue in this area is how to pick-up and analyze the information which contains abnormal network behavior characteristic In this paper, basing on the research of Common Intrusion Detection Framework and the implement strategy of Intrusion Detection System, a new model of Intrusion Detection System is brought up, and an implement of it's prototype system is also presented