Showing papers on "Host-based intrusion detection system published in 2002"
TL;DR: The details of the STATL syntax and its semantics are presented and real examples from both the host and network-based extensions of the language are presented.
Abstract: STATL is an extensible state/transition-based attack description language designed to support intrusion detection. The language allows one to describe computer penetrations as sequences of actions that an attacker performs to compromise a computer system. A STATL description of an attack scenario can be used by an intrusion detection system to analyze a stream of events and detect possible ongoing intrusions. Since intrusion detection is performed in different domains (i.e., the network or the hosts) and in different operating environments (e.g., Linux, Solaris, or Windows NT), it is useful to have an extensible language that can be easily tailored to different target environments. STATL defines domain-independent features of attack scenarios and provides constructs for extending the language to describe attacks in particular domains and environments. The STATL language has been successfully used in describing both network-based and host-based attacks, and it has been tailored to very different environments, e.g., Sun Microsystems' Solaris and Microsoft's Windows NT. An implementation of the runtime support for the STATL language has been developed and a toolset of intrusion detection systems based on STATL has been implemented. The toolset was used in a recent intrusion detection evaluation effort, delivering very favorable results. This paper presents the details of the STATL syntax and its semantics. Real examples from both the host and network-based extensions of the language are also presented.
398 citations
TL;DR: A self-adaptive distributed agent-based defense immune system based on biological strategies is developed within a hierarchical layered architecture and the results validate the use of a distributed-agent biological system approach toward the computer security problems of virus elimination and ID.
Abstract: With increased global interconnectivity and reliance on e-commerce, network services and Internet communication, computer security has become a necessity Organizations must protect their systems from intrusion and computer virus attacks Such protection must detect anomalous patterns by exploiting known signatures while monitoring normal computer programs and network usage for abnormalities Current anti-virus and network intrusion detection (ID) solutions can become overwhelmed by the burden of capturing and classifying new viral strains and intrusion patterns To overcome this problem, a self-adaptive distributed agent-based defense immune system based on biological strategies is developed within a hierarchical layered architecture A prototype interactive system is designed, implemented in Java and tested The results validate the use of a distributed-agent biological system approach toward the computer security problems of virus elimination and ID
383 citations
11 Mar 2002
TL;DR: This work presents an approach that utilizes application specific knowledge of the network services that should be protected and helps to extend current, simple network traffic models to form an application model that allows to detect malicious content hidden in single network packets.
Abstract: The constant increase of attacks against networks and their resources (as recently shown by the CodeRed worm) causes a necessity to protect these valuable assets. Firewalls are now a common installation to repel intrusion attempts in the first place. Intrusion detection systems (IDS), which try to detect malicious activities instead of preventing them, offer additional protection when the first defense perimeter has been penetrated. ID systems attempt to pin down attacks by comparing collected data to predefined signatures known to be malicious (signature based) or to a model of legal behavior (anomaly based).Anomaly based systems have the advantage of being able to detect previously unknown attacks but they suffer from the difficulty to build a solid model of acceptable behavior and the high number of alarms caused by unusual but authorized activities. We present an approach that utilizes application specific knowledge of the network services that should be protected. This information helps to extend current, simple network traffic models to form an application model that allows to detect malicious content hidden in single network packets. We describe the features of our proposed model and present experimental data that underlines the efficiency of our systems.
369 citations
12 May 2002
TL;DR: A partitioning approach to network security, analysis that supports in-depth, stateful intrusion detection on high-speed links that is centered around a slicing mechanism that divides the overall network traffic into subsets of manageable size.
Abstract: As networks become faster there is an emerging need for security, analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely, keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers. We propose a partitioning approach to network security, analysis that supports in-depth, stateful intrusion detection on high-speed links. The approach is centered around a slicing mechanism that divides the overall network traffic into subsets of manageable size. The traffic partitioning is done so that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interactions unnecessary. This paper describes the approach and presents a first experimental evaluation of its effectiveness.
274 citations
TL;DR: These techniques including an IDS architectural outline and an analysis of IDS probe techniques finishing with a summary of associated technologies are described.
270 citations
Patent•
IBM1
TL;DR: In this paper, Stack-based intrusion detection is leveraged for access to cleartext data within the layers of the protocol stack, which reduces the overhead of intrusion detection by reducing the number of packets to be inspected and allows more efficient packet inspection through use of context-specific information that may be used to direct the inspection to particular candidate attacks.
Abstract: Improvements in intrusion detection are disclosed by providing integrated intrusion detection services. Preferably, these services are integrated into a system or server that is the potential target of attack. Stack-based security processing is leveraged for access to cleartext data within the layers of the protocol stack. Layer-specific attacks may therefore be processed efficiently. Evaluation of incoming traffic for an intrusion is preferably performed only after an error condition of some type has been detected. This approach reduces the overhead of intrusion detection by reducing the number of packets to be inspected, and at the same time allows more efficient packet inspection through use of context-specific information that may be used to direct the inspection to particular candidate attacks. Generic attack class capability is also disclosed. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.
238 citations
01 Jan 2002
TL;DR: This work explores network based intrusion detection using classifying, self-organizing maps for data clustering and MLP neural networks for detection and shows that many of these attacks can be found by a careful analysis of network data.
Abstract: With the growth of computer networking, electronic commerce, and web services, security of networking systems has become very important. Many companies now rely on web services as a major source of revenue. Computer hacking poses significant problems to these companies, as distributed attacks can render their cyber-storefront inoperable for long periods of time. This happens so often, that an entire area of research, called Intrusion Detection, is devoted to detecting this activity. We show that evidence of many of these attacks can be found by a careful analysis of network data. We also illustrate that neural networks can efficiently detect this activity. We test our systems against denial of service attacks, distributed denial of service attacks, and portscans. In this work, we explore network based intrusion detection using classifying, self-organizing maps for data clustering and MLP neural networks for detection.
181 citations
Patent•
05 Mar 2002TL;DR: In this article, an intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data.
Abstract: An intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data. The system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device. Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection. The system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.
154 citations
Patent•
26 Mar 2002TL;DR: A broad-scope intrusion detection system analyzes traffic coming into multiple hosts or other customers' computers or sites as discussed by the authors, and then it is determined which devices or devices are anticipated to be affected by the anomaly in the future.
Abstract: A broad-scope intrusion detection system analyzes traffic coming into multiple hosts or other customers' computers or sites. This provides additional data for analysis as compared to systems that just analyze the traffic coming into one customer's site. Additional detection schemes can be used to recognize patterns that would otherwise be difficult or impossible to recognize with just a single customer detector. Standard signature detection methods can be used. Additionally, new signatures can be used based on broad-scope analysis goals. An anomaly is detected in the computer system, and then it is determined which devices or devices are anticipated to be affected by the anomaly in the future. These anticipated devices are then alerted to the potential for the future anomaly. The anomaly can be an intrusion or an intrusion attempt or reconnaissance activity.
138 citations
TL;DR: This paper describes the use of software fault trees for requirements identification and analysis in an IDS and found this approach was found to support requirements evolution, incremental development of the IDS, and prioritisation of countermeasures.
Abstract: The use of software fault trees for requirements identification and analysis in an Intrusion Detection System (IDS) is described.
133 citations
Patent•
IBM1
TL;DR: In this paper, improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing, which may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device.
Abstract: Improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing. These services may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device. Filtering may be provided using sensitivity levels and suspicion levels. Generic attack signatures describe relatively broad classes of intrusions. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.
16 Oct 2002
TL;DR: In this paper, a host-based intrusion detection system (IDS) for Microsoft Windows is presented, which detects attacks on a host machine by looking for anomalous accesses to the Windows registry.
Abstract: We present a host-based intrusion detection system (IDS) for Microsoft Windows The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time The normal model is trained using clean (attack-free) data At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms
IBM1
TL;DR: The goal of an intrusion detection system (IDS) is to recognize attacks such that their exploitation can be prevented.
Abstract: The goal of an intrusion detection system (IDS) is to recognize attacks such that their exploitation can be prevented. Since computer systems are complex, there are a variety of places where detection is possible. For example, analysis of network traffic may indicate an attack in progress [11], a compromised daemon may be detected by its abnormal behavior [14, 12, 5, 10, 15], and subsequent attacks may be prevented by the detection of backdoors and stepping stones [16, 17].
TL;DR: It is argued that mobile agent technology goes a long way toward realizing the ideal behavior desired in an intrusion detection system (IDS), and various ways in which mobile agents could be applied to the problem of detecting and responding to intrusions are discussed.
Patent•
01 Feb 2002
TL;DR: In this article, the authors present an intrusion detection approach using application-specific intrusion criteria (e.g., normal communication behavior tracking criteria and/or intrusion signatures) allowing application specific responses to intrusions.
Abstract: Network intrusion detection accurately identifies and takes into consideration currently running network applications by examining machine instructions embodying those applications. Intrusion detection using application-specific intrusion criteria (e.g., normal communication behavior tracking criteria and/or intrusion signatures) allows application-specific responses to intrusions. Dynamic loading and checking for intrusion signatures may be performed by intrusion detection components that run in the same context as the running application being monitored. A central security authority may provide a repository for, and maintain, up to the minute intrusion signatures for networked machines. Application communications may be tracked to identify abnormal application behavior, and a network security administrator may be notified that a particular application may be making the network vulnerable to intrusion. Immediate response to abnormal application behavior or detection of an intrusion signature is made possible, while non-targeted applications on a targeted computing system may continue their network activity.
03 Apr 2002
TL;DR: The application of Bayesian methods to data being gathered from distributed IDS is applied to improve the capabilities for early detection of distributed attacks against infrastructure and the detection of the preliminary phases of distributed denial of service attacks.
Abstract: In computer and network security, standard approaches to intrusion detection and response attempt to detect and prevent individual attacks. However, it is not the attack but rather the attacker against which our networks must be defended. To do this, the information that is being provided by intrusion detection systems (IDS) must be gathered and then divided into its component parts such that the activity of individual attackers is made clear. Our approach to this involves the application of Bayesian methods to data being gathered from distributed IDS. With this we hope to improve the capabilities for early detection of distributed attacks against infrastructure and the detection of the preliminary phases of distributed denial of service attacks.
22 Sep 2002
TL;DR: This paper proposes to selectively implement portions of the functionality of a state-of-the-art software NIDS in reconfigurable hardware to enable efficient intrusion detection in future multi-gigabit networks.
Abstract: In this paper we consider a new approach to network intrusion detection. Conventional network intrusion detection systems (NIDS) are software based. We propose to selectively implement portions of the functionality of a state-of-the-art software NIDS in reconfigurable hardware. This increases performance even under hostile loads and will enable efficient intrusion detection in future multi-gigabit networks. Specifically, we consider the problem of TCP-stream reassembly. We present a high-performance TCP stream reassembly and state tracking module targeted for incorporation into an agile reconfigurable network interface based on Xilinx Virtex technology.
23 Jun 2002
TL;DR: The implementation of an intrusion tolerant system for providing Internet services to known users through secure connections using the use of diverse process pairs to provide a significant and novel intrusion detection capability.
Abstract: We describe the implementation of an intrusion tolerant system for providing Internet services to known users through secure connections. Network attacks are treated as maliciously devised conditions to exploit design, implementation, or configuration faults, intrusions (successful attacks) are treated as failures, and their effects are mitigated by using the three pillars of fault tolerance: detection, isolation, and recovery. Fundamental to our approach is the use of diverse process pairs, which provides partial solutions to detection and isolation problems. The architecture uses the comparison of outputs from diverse applications to provide a significant and novel intrusion detection capability. The diverse applications also strengthen isolation by forcing attacks to exploit independent vulnerabilities. The isolation of intrusions is mainly achieved with an out-of-band control system. The control system not only provides separation between the primary and backup system, it also initiates attack diagnosis, attack blocking, and recovery, which is accelerated by on-line repair.
01 Jan 2002
TL;DR: ExB is designed, a string matching algorithm tailored to the specific characteristics of NIDS string matching, and implemented in snort and experiments suggest that ExB offers improvements in overall system performance by as much as a factor of three.
Abstract: We consider the problem of efficient string-based signature matching for Network Intrusion Detection Systems (NIDSes). String matching computations dominate in the overall cost of running a NIDS, despite the use of efficient generalpurpose string matching algorithms. Aiming at increasing the efficiency and capacity of NIDSes, we have designed ExB, a string matching algorithm tailored to the specific characteristics of NIDS string matching. We have implemented ExB in snort and present experiments comparing ExB with the current best alternative solution. Our preliminary experiments suggest that ExB offers improvements in overall system performance by as much as a factor of three.
Patent•
IBM1
TL;DR: In this article, improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing, which may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device.
Abstract: Improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing. These services may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device. Filtering may be provided using sensitivity levels and suspicion levels. Generic attack signatures describe relatively broad classes of intrusions. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.
Patent•
17 Jan 2002
TL;DR: In this article, an intrusion detection system employs a pipelined structure including a plurality of modules, and parts of the rule are assigned to the modules, the modules determine whether the conditions of an intrusion attack are satisfied.
Abstract: An intrusion detection system detects and takes appropriate action against intrusion attacks on packets transmitted on a network. Various conditions for the intrusion attacks are described in the form of a rule tree. The intrusion detection system employs a pipelined structure including a plurality of modules, and parts of the rule are assigned to the modules. The modules determine in a pipelined manner whether the conditions of an intrusion attack are satisfied. In an intrusion attack on the packet is detected, the intrusion detection system takes appropriate action against the determined intrusion attack.
26 Jan 2002
TL;DR: This paper presents the development of an off-line intrusion alert correlator based on {\em prerequisites} of intrusions, which is the first step to address the problem of large amount of alerts in situations where there are intensive intrusive actions.
Abstract: Current intrusion detection systems (IDSs) usually focus on detecting low-level attacks and/or anomalies; none of them can capture the logical steps or attack strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and take appropriate actions. This paper presents the development of an off-line intrusion alert correlator based on {\em prerequisites} of intrusions, which is our first step to address the aforementioned problem. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful. For example, the existence of a vulnerable service is the prerequisite of a remote buffer overflow attack against the service. Based on the prerequisite and the consequence of each type of attacks, our intrusion alert correlator correlates the alerts by matching the consequence of some previous alerts and the prerequisite of some later ones. As a result, our intrusion alert correlator is able to correlate related alerts and uncover the attack strategies behind sequences of attacks. As an application based on relational database management system (RDBMS), the intrusion alert correlator takes advantage of the functionalities of RDBMS and can be easily integrated with other RDBMS-based intrusion analysis tools (e.g., ISS''s RealSecure). Our experiments with the DARPA 2000 intrusion detection evaluation datasets have demonstrated the great potential of our approach in reducing false alerts and discovering high-level attack strategies.
Patent•
13 Jun 2002TL;DR: In this paper, the authors propose a method of forming a virtual intrusion detection system, which includes the step of positioning a set of sensors in a network environment, each sensor supporting multiple logical traffic paths.
Abstract: A method of forming a virtual intrusion detection system includes the step of positioning a set of sensors in a network environment, each sensor supporting multiple logical traffic paths. The method also includes the step of providing a set of sensor management systems corresponding to the set of sensors. This set of sensor management systems enforces a set of virtual intrusion detection systems, wherein each virtual intrusion detection system corresponds to a predetermined logical traffic path through the set of sensors, each virtual detection system providing sensor traffic information solely to authorized parties.
10 Dec 2002
TL;DR: A pattern recognition approach to network intrusion detection based on the multiple classifier systems paradigm is proposed, and the potentialities of classifier combination for data fusion and some open issues are outlined.
Abstract: The security of computer networks plays a strategic role in modern computer systems. In order to enforce high protection levels against threats, a number of software tools are currently available. Intrusion detection systems aim at detecting an intruder who eluded the "first line" protection. In the paper, a pattern recognition approach to network intrusion detection based on the multiple classifier systems paradigm is proposed. The potentialities of classifier combination for data fusion and some open issues are outlined.
04 Nov 2002
TL;DR: This work allows people to find signatures of an intrusion easily and provides a third party IDS (for example, Snort) with candidate signatures, and presents an algorithm called Signature Apriori, which generates signatures for a misuse detection intrusion detection system (IDS).
Abstract: In network-based intrusion detection, signatures discovery is an important issue, since the performance of an intrusion detection system heavily depends on accuracy and abundance of signatures. In most cases, we have to find these signatures manually. This is a time-consuming and error-prone work. We present a data mining method based on an approach to support signature discovery in a network-based intrusion detection system, which generates signatures for a misuse detection intrusion detection system (IDS) not only depending on associations of attributes of the transfer protocol, but also on the content of traffic. Until now, no paper has studied how to mine content of traffic to generate signatures for an IDS. Our work allows people to find signatures of an intrusion easily and provides a third party IDS (for example, Snort) with candidate signatures. In order to discover signatures, we present an algorithm called Signature Apriori. An experimental system named SigSniffer has been implemented to test the feasibility of the proposed approach.
01 Oct 2002
TL;DR: A new approach for the real-time detection of denial of service computer attacks using timedependent deterministic finite automata, which lends itself to a distributed detection architecture, permitting non-obtrusive attack signature updating and operating system portability.
Abstract: In this paper, we describe a new approach for the real-time detection of denial of service computer attacks using timedependent deterministic finite automata. Current networkbased intrusion detection systems employ state-transition based methods as a primary mean to detecting system penetrations and misuse as well. However, we utilize the time intervals between certain event occurrences [as defined in our automaton] to improve the accuracy of detecting specific denial of service attacks. Unlike some other detection systems, our design also lends itself to a distributed detection architecture, permitting non-obtrusive attack signature updating and operating system portability. This paper discusses the implementation of our prototype along with results from its test evaluation using publicly available data.
28 Jan 2002
TL;DR: This work improves detection accuracy by adopting a DP matching scheme and solves several problems in AID by recording system calls from daemon processes and setuid programs.
Abstract: There are two well-known models for intrusion detection-anomaly intrusion detection (AID) model and misuse intrusion detection (MID) model. The former analyzes user behavior and the statistics of a process in a normal situation, and checks whether the system is being used in a different manner. The latter maintains a database of known intrusion techniques and detects intrusion by comparing behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method, but needs to update the data describing user behavior and statistics in normal usage. We call these information profiles. There are several problems in AID to be addressed. The profiles tend to be large. Detecting intrusion needs a large amount of system resources, like CPU time and memory and disk space. An MID model requires fewer system resources to detect intrusion. However, it cannot detect new, unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.
Proceedings Article•
IBM1
TL;DR: The motivation and rationale behind BlueBox, a host-based intrusion detection system that is designed to minimize the kernel changes and performance impact and thus can be ported easily to new kernels, is described.
Abstract: Detecting attacks against systems has, in practice, largely been delegated to sensors, such as network intrustion detection systems. However, due to the inherent limitations of these systems and the increasing use of encryption in communication, intrusion detection and prevention have once again moved back to the host systems themselves. In this paper, we describe our experiences with building BlueBox, a host-based intrusion detection system. Our approach, based on the technique of system call introspection, can be viewed as creating an infrastructure for defining and enforcing very fine-grained process capabilities in the kernel. These capabilities are specified as a set of rules (policies) for regulating access to system resources on a per executable basis. The language for expressing the rules is intuitive and sufficiently expressive to effectively capture security boundaries.We have prototyped our approach on Linux operating system kernel and have built rule templates for popular daemons such as Apache and wu-ftpd. Our design has been validated by testing against a comprehensive database of known attacks. Our system has been designed to minimize the kernel changes and performance impact and thus can be ported easily to new kernels. We describe the motivation and rationale behind BlueBox, its design, implementation on Linux, and how it relates to prior work on detecting and preventing intrusions on host systems.
01 May 2002
TL;DR: In this paper, the authors describe three ways self-securing storage enhances an administrator's ability to detect, diagnose, and recover from client system intrusions: storage-based intrusion detection offers a new observation point for noticing suspect activity, post-hoc intrusion diagnosis starts with a plethora of normally unavailable information.
Abstract: : Self-securing storage turns storage devices into active parts of an intrusion survival strategy. From behind a thin storage interface (e.g., SCSI or CIFS), a self-securing storage server can watch storage requests, keep a record of all storage activity, and prevent compromised clients from destroying stored data. This paper describes three ways self-securing storage enhances an administrator's ability to detect, diagnose, and recover from client system intrusions. First, storage-based intrusion detection offers a new observation point for noticing suspect activity. Second, post-hoc intrusion diagnosis starts with a plethora of normally-unavailable information. Finally, post-intrusion recovery is reduced to restarting the system with a pre-intrusion storage image retained by the server. Combined, these features can improve an organization's ability to survive successful digital intrusions.