Showing papers on "Host-based intrusion detection system published in 2004"

Honeycomb: creating intrusion detection signatures using honeypots

Abstract: This paper describes a system for automated generation of attack signatures for network intrusion detection systems. Our system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. We present results of running the system on an unprotected cable modem connection for 24 hours. The system successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.

Deterministic memory-efficient string matching algorithms for intrusion detection

Abstract: Intrusion detection systems (IDSs) have become widely recognized as powerful tools for identifying, deterring and deflecting malicious attacks over the network. Essential to almost every intrusion detection system is the ability to search through packets and identify content that matches known attacks. Space and time efficient string matching algorithms are therefore important for identifying these packets at line rate. We examine string matching algorithms and their use for intrusion detection, in particular, we focus our efforts on providing worst-case performance that is amenable to hardware implementation. We contribute modifications to the Aho-Corasick string-matching algorithm that drastically reduce the amount of memory required and improve its performance on hardware implementations. We also show that these modifications do not drastically affect software performance on commodity processors, and therefore may be worth considering in these cases as well.

Adaptive neuro-fuzzy intrusion detection systems

Abstract: The Intrusion Detection System architecture commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. In this paper, two machine-learning paradigms, Artificial Neural Networks and Fuzzy Inference System, are used to design an Intrusion Detection System. SNORT is used to perform real time traffic analysis and packet logging on IP network during the training phase of the system. Then a signature pattern database is constructed using protocol analysis and Neuro-Fuzzy learning method. Using 1998 DARPA Intrusion Detection Evaluation Data and TCP dump raw data, the experiments are deployed and discussed.

Adaptive neuro-fuzzy intrusion detection systems

Abstract: The intrusion detection system architecture commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. In this paper, two machine-learning paradigms, artificial neural networks and fuzzy inference system, are used to design an intrusion detection system. SNORT is used to perform real time traffic analysis and packet logging on IP network during the training phase of the system. Then a signature pattern database is constructed using protocol analysis and neuro-fuzzy learning method. Using 1998 DARPA Intrusion Detection Evaluation Data and TCP dump raw data, the experiments are deployed and discussed.

Method and system for network intrusion detection, related network and computer program product

Abstract: A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

Adaptive distributed firewall using intrusion detection

Abstract: Conventional firewalls rely on a strict outside/inside topology where the gateway(s) enforce some sort of traffic filtering. Some claims that with the evolving connectivity of the Internet, the traditional firewall has been obsolete. High speed links, dynamic topology, end-to-end encryption, threat from internal users are all issues that must be addressed. Steven M. Bellovin was the first to propose a ``distributed firewall'' that addresses these shortcomings. In this master thesis, the design and implementation of a ``distributed firewall'' with an intrusion detection mechanism is presented using Python and a scriptable firewall (IPTables, IPFW, netsh). Responsible for this website University of Oslo Library Contact Us duo-hjelp@ub.uio.no Privacy policy Adaptive distributed firewall using intrusion detection  

Intrusion prevention system design

Abstract: It is one of the good solutions for improving network security to integrate many kinds of security techniques. Firewall and intrusion detection system can enforce security of the network effectively, but there are also drawbacks existing in themselves. Intrusion prevention system (IPS) is a technique combining the techniques of the firewall with that of the IDS properly. The characters of the IPS are introduced firstly in this paper, and then a scenario of IPS based network is described. Finally, a distributed IPS: IPS design based on SNMP is put forward, the function and implementation of each part of IPS is explained in detail.

Intrusion detection in virtual machine environments

Abstract: A virtual machine is a software replica of an underlying real machine. Multiple virtual machines can operate on the same host machine concurrently, without interfere each other. Such concept is becoming valuable in production computing systems, due to its benefits in terms of costs and portability. As they provide a strong isolation between the virtual environment and the underlying real system, virtual machines can also be used to improve the security of a computer system in face of attacks to its network services. This work presents a new approach to achieve this goal, by applying intrusion detection techniques to virtual machine based systems, thus keeping the intrusion detection system out of reach from intruders. The results obtained from a prototype implementation confirm the usefulness of this approach.

The feature selection and intrusion detection problems

Abstract: Cyber security is a serious global concern. The potential of cyber terrorism has posed a threat to national security; meanwhile the increasing prevalence of malware and incidents of cyber attacks hinder the utilization of the Internet to its greatest benefit and incur significant economic losses to individuals, enterprises, and public organizations. This paper presents some recent advances in intrusion detection, feature selection, and malware detection. In intrusion detection, stealthy and low profile attacks that include only few carefully crafted packets over an extended period of time to delude firewalls and the intrusion detection system (IDS) have been difficult to detect. In protection against malware (trojans, worms, viruses, etc.), how to detect polymorphic and metamorphic versions of recognized malware using static scanners is a great challenge. We present in this paper an agent based IDS architecture that is capable of detecting probe attacks at the originating host and denial of service (DoS) attacks at the boundary controllers. We investigate and compare the performance of different classifiers implemented for intrusion detection purposes. Further, we study the performance of the classifiers in real-time detection of probes and DoS attacks, with respect to intrusion data collected on a real operating network that includes a variety of simulated attacks. Feature selection is as important for IDS as it is for many other modeling problems. We present several techniques for feature selection and compare their performance in the IDS application. It is demonstrated that, with appropriately chosen features, both probes and DoS attacks can be detected in real time or near real time at the originating host or at the boundary controllers. We also briefly present some encouraging recent results in detecting polymorphic and metamorphic malware with advanced static, signature-based scanning techniques.

Battery-based intrusion detection

Abstract: This paper proposes an early warning system via a host-based form of intrusion detection that can alert security administrators to protect their corporate network(s). This innovative technique operates through the implementation of battery-based intrusion detection (B-bid) on mobile devices by correlating attacks with their impact on device power consumption using a rules-based host intrusion detection engine (HIDE). HIDE monitors power behavior to detect potential intrusions by noting irregularities of power consumption.

Design of a system for real-time worm detection

Abstract: Recent well publicized attacks have made it clear that worms constitute a threat to Internet security. Systems that secure networks against malicious code are expected to be a part of the critical Internet infrastructure in the future. Intrusion detection and prevention systems (IDPS) currently have limited use because they can filter only known worms. We present the design and implementation of a system that automatically detects new worms in real-time by monitoring traffic on a network. The system uses field programmable gate arrays (FPGAs) to scan packets for patterns of similar content. Given that a new worm hits the network and the rate of infection is high, the system is automatically able to detect an outbreak. Frequently occurring strings in packet payloads are instantly reported as likely worm signatures.

ANTIDS: Self-Organized Ant-based Clustering Model for Intrusion Detection System

Abstract: Security of computers and the networks that connect them is increasingly becoming of great significance. Computer security is defined as the protection of computing systems against threats to confidentiality, integrity, and availability. There are two types of intruders: the external intruders who are unauthorized users of the machines they attack, and internal intruders, who have permission to access the system with some restrictions. Due to the fact that it is more and more improbable to a system administrator to recognize and manually intervene to stop an attack, there is an increasing recognition that ID systems should have a lot to earn on following its basic principles on the behavior of complex natural systems, namely in what refers to self-organization, allowing for a real distributed and collective perception of this phenomena. With that aim in mind, the present work presents a self-organized ant colony based intrusion detection system (ANTIDS) to detect intrusions in a network infrastructure. The performance is compared among conventional soft computing paradigms like Decision Trees, Support Vector Machines and Linear Genetic Programming to model fast, online and efficient intrusion detection systems.

System and method for dynamic distribution of intrusion signatures

Abstract: A system and method for the dynamic distribution of intrusion signatures to aid in protecting a network system from harmful activities. The related method includes the steps of monitoring for intrusion signatures or other triggering events[401, 402], analyzing the events [403] and updating IDS signature libraries [406] as necessary. The system and method enable dynamic distribution of IDS signatures enabling improved network IDS coverage while limiting the processing and storage requirements of network devices, particularly forwarding devices such as switches and routers that may include the IDS function.

Intrusion detection report correlator and analyzer

Abstract: A computer/computer network security alert management system aggregates information from multiple intrusion detectors. Utilizing reports from multiple intrusion detectors reduces the high false alarm rate experienced by individual detectors while also improving detection of coordinated attacks involving a series of seemingly harmless operations. An internal representation of a protected enclave is utilized, and intrusion detection system (IDS) information is correlated to accurately prioritize alerts. In one embodiment, the system is capable of utilizing data from most existing IDS products, with flexibility to add further IDS products.

Automatic analysis of firewall and network intrusion detection system configurations

Abstract: Given a network that deploys multiple firewalls and network intrusion detection systems (NIDSs), ensuring that these security components are correctly configured is a challenging problem. Although models have been developed to reason independently about the effectiveness of firewalls and NIDSs, there is no common framework to analyze their interaction. This paper presents an integrated, constraint-based approach for modeling and reasoning about these configurations. Our approach considers the dependencies among the two types of components, and can reason automatically about their combined behavior. We have developed a tool for the specification and verification of networks that include multiple firewalls and NIDSs, based on this approach. This tool can also be used to automatically generate NIDS configurations that are optimal relative to a given cost function.

Distributed intrusion detection system based on data fusion method

Abstract: Intrusion detection system (IDS) plays a critical role in information security because it provides the last line protection for those protected hosts or networks when intruders elude the first line. In this paper, we present a novel distributed intrusion detection system, which uses the Dempster-Shafer's theory of evidence to fuse local information. Our approach is composed of 2 layers: the lower layer consists of both host and network based sensors, which are specifically designed to collect local features and make local decisions to differentiate those easy-to-detect attacks; the upper layer is a fusion control center, it makes global decisions on those locally uncertain events by adopting Dempster's combination rule. Our approach gains the advantages of both host and network based intrusion methods, and can practice both rule-based and anomaly detection. A simulation is carried out and result shows that the multi-sensor data fusion model performs much better than single sensor.

Soft Computing Models for Network Intrusion Detection Systems

Abstract: Security of computers and the networks that connect them is increasingly becoming of great significance. Computer security is defined as the protection of computing systems against threats to confidentiality, integrity, and availability. There are two types of intruders: external intruders, who are unauthorized users of the machines they attack, and internal intruders, who have permission to access the system with some restrictions. This chapter presents a soft computing approach to detect intrusions in a network. Among the several soft computing paradigms, we investigated fuzzy rule-based classifiers, decision trees, support vector machines, linear genetic programming and an ensemble method to model fast and efficient intrusion detection systems. Empirical results clearly show that soft computing approach could play a major role for intrusion detection.

A P2P intrusion detection system based on mobile agents

Abstract: Traditional intrusion detection systems have a central coordinator with a static hierarchical architecture. We propose a peer-to-peer intrusion detection system that has no central coordinator. Our approach is like that of a "neighborhood watch". A virtual neighborhood is created where neighbors take on the task of looking out for each other. When an intrusion occurs they observe this intrusion and inform the residents about this intrusion and collectively take action. We use cooperating, mobile agents for intrusion detection. Each site periodically sends mobile agents to visit and check up on its neighbors and report back. When inconsistent or anomalous behavior is observed, the observer-neighbor initiates a voting process to take action against the compromised site.

Battery-based intrusion detection a first line of defense

Abstract: This paper proposes a first line of defense early warning system via a host-based form of intrusion detection that can alert security administrators to protect their corporate network(s). This innovative technique operates through the implementation of battery-based intrusion detection (B-bid) on mobile devices by correlating attacks with their impact on device power consumption using a rule-based host intrusion detection engine (HIDE). HIDE monitors power behavior to detect potential intrusions by noting irregularities of power consumption and works in conjunction with a host analysis signature trace engine (HASTE) to provide protection to both mobile hosts and, by extension, their affiliated network.

Agent-based distributed intrusion alert system

Abstract: Intrusion detection for computer systems is a key problem in today’s networked society. Current distributed intrusion detection systems (IDSs) are not fully distributed as most of them centrally analyze data collected from distributed nodes resulting in a single point of failure. Increasingly, researchers are focusing on distributed IDSs to circumvent the problems of centralized approaches. A major concern of fully distributed IDSs is the high false positive rates of intrusion alarms which undermine the usability of such systems. We believe that effective distributed IDSs can be designed based on principles of coordinated multiagent systems. We propose an Agent-Based Distributed Intrusion Alert System (ABDIAS) which is fully distributed and provides two capabilities in addition to other functionalities of an IDS: (a) early warning when pre-attack activities are detected, (b) detecting and isolating compromised nodes by trust mechanisms and voting-based peer-level protocols.

On the difficulty of scalably detecting network attacks

Abstract: Most network intrusion tools (e.g., Bro) use per-flow state to reassemble TCP connections and fragments in order to detect network attacks (e.g., SYN Flooding or Connection Hijacking) and preliminary reconnaissance (e.g., Port Scans). On the other hand, if network intrusion detection is to be implemented at high speeds at network vantage points, some form of aggregation is necessary. While many security analysts believe that such per-flow state is required for many of these problems, there is no clear proof that this is the case. In fact, a number of problems (such as detecting large traffic footprints or counting identifiers) have scalable solutions. In this paper, we initiate the study of identifying when and how a security attack detection problem can have a scalable solution. We use tools from Communication Complexity to prove that the common formulations of many well-known intrusion detection problems (detecting SYN Flooding, Port Scans, Connection Hijacking, and content matching across fragments) require per-flow state. Our theory exposes assumptions that need to be changed to provide scalable solutions to these problems; we conclude with some systems techniques to circumvent these lower bounds.

APHIDS: A Mobile Agent-Based Programmable Hybrid Intrusion Detection System

Abstract: Intrusion detection systems are quickly becoming a standard requirement in building a network security infrastructure. Although many established techniques and commercial products exist, their effectiveness leaves room for improvement. We propose an intrusion detection system architecture which takes advantage of the mobile agent paradigm to implement a system capable of efficient and flexible distribution of analysis and monitoring tasks, as well as integration of existing detection techniques. Our architecture defines a high-level application specific scripting language to specify the interaction between monitoring agents and analysis agents.

TRINETR: an intrusion detection alert management systems

Abstract: In response to the daunting threats of cyber attacks, a promising approach is computer and network forensics. Intrusion detection system is an indispensable part of computer and network forensics. It is deployed to monitor network and host activities including dataflows and information accesses etc. But current intrusion detection products presents many flaws including alert flooding, too many false alerts and isolated alerts etc. We describe an ongoing project to develop an intrusion alert management system $TRINETR. We present a collaborative architecture design for multiple intrusion detection systems to work together to detect real-time network intrusions. The architecture is composed of three parts: alert aggregation, knowledge-based alert evaluation and alert correlation. The architecture is aimed at reducing the alert overload by aggregating alerts from multiple sensors to generate condensed views, reducing false positives by integrating network and host system information into alert evaluation process and correlating events based on logical relations to generate global and synthesized alert report. The first two parts of the architecture have been implemented and the implementation results are presented.

Security system and method using server security solution and network security solution

Abstract: A security method and system using a server security solution and a network security solution is disclosed. In the security method based on the security system that has a firewall for blocking malicious access to a corresponding network, a network intrusion prevention system for blocking intrusion into the network and server systems including a mail server and a File Transfer Protocol (FTP) server, the server systems transmit information on an intruding system, which has transmitted harmful traffic, to the network intrusion prevention system at the time of detecting the harmful traffic. The network intrusion prevention system blocks the access of the harmful traffic based on the information transmitted from the server systems. According to the present invention, the server systems detect malicious intrusion attempts, and intrusion is blocked at a network level, so that the present invention is effective in that second and third malicious intrusion attempts can be fundamentally blocked and the consumption of network resources attributable to repeated intrusion attempts can be prevented.

Wireless intrusion detection and response : A case study using the classic man-in-the-middle attack

Abstract: Intrusion detection and countermeasures response is an active area of research. In this paper, we examine integrating an intrusion detection engine with an active countermeasure capability. We use a classic man in the middle attack as a case study to specify the integrated wireless intrusion detection capability with the active countermeasure response. We present the case study in dynamically defending against an example attack in an 802.11 infrastructure basic service set by combining the concepts for a distributed wireless intrusion detection and response system architecture with adaptive response strategies based on alarm confidence, attack frequency, assessed risks, and estimated response costs. We also include a description of a tool kit we have implemented to prototypically test and evaluate our concepts.

NetFlow based intrusion detection system

Abstract: In this paper, a NetFlow based anomaly intrusion detection system is presented. In addition, guidelines to properly configure and setup network device to minimize the possibilities that network attacks come from inside are also proposed. As the Internet becomes the platform of daily activities, the threat of network attack is also become more serious. Firewall along is not able to protect the system from being attacked through normal service channel. Furthermore, most of the current intrusion detection system focuses on the border of organization network. If the attack comes from inside, this setup does not provide any protection to hosts in the local network and the network itself. Therefore, we need to use other mechanism to protect the critical system as well as the network itself. We propose an inexpensive and easy to implement way to perform the anomaly type intrusion detection based on the NetFlow data exported from the routers or other network probes. Our system can detect several types of network attack from inside or outside and perform counter maneuver accordingly.

An intrusion detection system using ideas from the immune system

Abstract: This paper proposes an intrusion detection framework and presents a prototype for an intrusion detection system based on it. This framework takes architectural inspiration from the human immune system and brings desirable features to intrusion detection systems, such as automated intrusion recovery, attack signature extraction, and potential to improve behavior-based detection. These features are enabled through intrusion evidence detection. The prototype, called ADENOIDS, is designed to deal with application attacks, extracting signature for remote buffer overflow attacks. The framework and ADENOIDS are described and experimental results are presented.

Improving the performance of signature-based network intrusion detection sensors by multi-threading

Abstract: Signature-based Network Intrusion Detection System (NIDS) sensors match network packets against a pre-configured set of intrusion signatures. Current implementations of NIDS sensors employ only a single thread of execution and as a consequence benefit very little from multi-processor hardware platforms. A multi-threaded sensor would allow more efficient and scalable exploitation of these multi-processor machines. We present in detail a number of novel designs for a multi-threaded NIDS sensor and provide performance evaluation figures for a number of multi-threaded implementations of the popular open-source Snort system.