Showing papers on "Host-based intrusion detection system published in 2006"

System for intrusion detection and vulnerability assessment in a computer network using simulation and machine learning

Abstract: The present invention provides a system and method for predicting and preventing unauthorized intrusion in a computer configuration. Preferably, the invention comprises a communication network to which at least two computing devices connect, wherein at least one of the computing devices is operable to receive data transmitted by the other computing device. The invention further comprises a database that is accessible over the network and operable to store information related to the network. A vulnerability assessment component is provided that is operable to execute a command over the communication network, and a data monitoring utility operates to monitor data transmitted over the communication network as the vulnerability assessment component executes commands. Also, an intrusion detection component is included that is operable to provide a simulated copy of the network, to generate a first data transmission on the simulated copy of the network that represents a second data transmission on the communication network, and to compare the first data transmission with a second data transmission. The vulnerability assessment component preferably interfaces with the intrusion detection component to define rules associated with the first and second data transmissions, to store the rules in the database, and to retrieve the rules from the database in order to predict and prevent unauthorized intrusion in the computer configuration.

Dynamic application-layer protocol analysis for network intrusion detection

Abstract: Many network intrusion detection systems (NIDS) rely on protocol-specific analyzers to extract the higher-level semantic context from a traffic stream. To select the correct kind of analysis, traditional systems exclusively depend on well-known port numbers. However, based on our experience, increasingly significant portions of today's traffic are not classifiable by such a scheme. Yet for a NIDS, this traffic is very interesting, as a primary reason for not using a standard port is to evade security and policy enforcement monitoring. In this paper, we discuss the design and implementation of a NIDS extension to perform dynamic application-layer protocol analysis. For each connection, the system first identifies potential protocols in use and then activates appropriate analyzers to verify the decision and extract higher-level semantics. We demonstrate the power of our enhancement with three examples: reliable detection of applications not using their standard ports, payload inspection of FTP data transfers, and detection of IRC-based botnet clients and servers. Prototypes of our system currently run at the border of three large-scale operational networks. Due to its success, the bot-detection is already integrated into a dynamic inline blocking of production traffic at one of the sites.

A Trust-Aware, P2P-Based Overlay for Intrusion Detection

Abstract: Collaborative intrusion detection systems (IDSs) have a great potential for addressing the challenges posed by the increasing aggressiveness of current Internet attacks. However, one of the major concerns with the proposed collaborative IDSs is their vulnerability to the insider threat. Malicious intruders, infiltrating such a system, could poison the collaborative detectors with false alarms, disrupting the intrusion detection functionality and placing at risk the whole system. In this paper, we propose a P2P-based overlay for intrusion detection (Overlay IDS) that addresses the insider threat by means of a trust-aware engine for correlating alerts and an adaptive scheme for managing trust. We have implemented our system using JXTA framework and we have evaluated its effectiveness for preventing the spread of a real Internet worm over an emulated network. The evaluation results show that our Overlay IDS significantly increases the overall survival rate of the network.

Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems

Abstract: Improved methods and systems for decoy networks with automatic signature generation for intrusion detection and intrusion prevention systems. A modular decoy network with front-end monitor/intercept module(s) with a processing back-end that is separate from the protected network. The front-end presents a standard fully functional operating system that is a decoy so that the instigator of an attack is lead to believe a connection has been made to the protected network. The front-end includes a hidden sentinel kernal driver that monitors connections to the system and captures attack-identifying information. The captured information is sent to the processing module for report generation, data analysis and generation of an attack signature. The generated attack signature can then be applied to the library of signatures of the intrusion detection system or intrusion prevention system of the protected network to defend against network based attacks including zero-day attacks.

Bit-split string-matching engines for intrusion detection and prevention

Abstract: Network Intrusion Detection and Prevention Systems have emerged as one of the most effective ways of providing security to those connected to the network and at the heart of almost every modern intrusion detection system is a string-matching algorithm. String matching is one of the most critical elements because it allows for the system to make decisions based not just on the headers, but the actual content flowing through the network. Unfortunately, checking every byte of every packet to see if it matches one of a set of thousands of strings becomes a computationally intensive task as network speeds grow into the tens, and eventually hundreds, of gigabits/second. To keep up with these speeds, a specialized device is required, one that can maintain tight bounds on worst-case performance, that can be updated with new rules without interrupting operation, and one that is efficient enough that it could be included on-chip with existing network chips or even into wireless devices. We have developed an approach that relies on a special purpose architecture that executes novel string matching algorithms specially optimized for implementation in our design. We show how the problem can be solved by converting the large database of strings into many tiny state machines, each of which searches for a portion of the rules and a portion of the bits of each rule. Through the careful codesign and optimization of our architecture with a new string-matching algorithm, we show that it is possible to build a system that is 10 times more efficient than the currently best known approaches.

Method and apparatus for providing network and computer system security

Abstract: An improved network intrusion detection and response system and method is disclosed for detecting and preventing misuse of network resources. More particularly, the system and method dynamically self-adjusts to changes in network activity using a plurality of alert levels wherein each successively higher alert level triggers a corresponding heightened security response from the networked computer being misused. These heightened alert levels are integrated on both the system (individual node) and the network level. The disclosed intrusion detection and response system is also implemented at low cost using currently-existing hardware and software (i.e., network computers).

Host-Based Intrusion Detection for Advanced Mobile Devices

Abstract: New security threats emerge against mobile devices as the devices’ computing power and storage capabilities evolve. We address in this paper the issue of augmenting current intrusion detection approaches with host-based intrusion detection models for mobile devices. We show that host-based approaches are required, since network-based monitoring alone is not sufficient to encounter the future threats. We outline some of the data types on mobile devices that could be used to construct intrusion detection models, and finally propose a framework for mobile device intrusion detection.

Automatic Evaluation of Intrusion Detection Systems

Abstract: An Intrusion Detection System (IDS) is a crucial element of a network security posture. Although there are many IDS products available, it is rather difficult to find information about their accuracy. Only a few organizations evaluate these products. Furthermore, the data used to test and evaluate these IDS is usually proprietary. Thus, the research community cannot easily evaluate the next generation of IDS. Toward this end, DARPA provided in 1998, 1999 and 2000 an Intrusion Detection Evaluation Data Set. However, no new data set has been released by DARPA since 2000, in part because of the cumbersomeness of the task. In this paper, we propose a strategy to address certain aspects of generating a publicly available documented data set for testing and evaluating intrusion detection systems. We also present a tool that automatically analyzes and evaluates IDS using our proposed data set.

A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks

Abstract: Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND I ) is scalable to flow-level detection on high-speed networks; 2) zs DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4 ) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case trafic of 40-byte-packet streams with each packet forming a flow.

SIP intrusion detection and prevention: recommendations and prototype implementation

Abstract: As VoIP deployment are expected to grow, intrusion problems similar to those of which data networks experience will become very critical. In the early stages of deployment, the intrusion and security problems have not been seriously considered, although they could have a negative impact on VoIP deployment. In the paper, SIP intrusion detection and prevention requirements are analyzed and an IDS/IPS architecture is proposed. A prototype of the proposed architecture was implemented using as a basis the very popular open-source software Snort, a network-based intrusion detection and prevention system. The prototype of the proposed architecture extends the basic functionality of Snort, making use of the preprocessing feature that permits analyzing protocols of layers above the TCP/UDP one. The preprocessors block is a very powerful one since it permits to implement both knowledge and behavior based intrusion detection and prevention techniques in Snort that basically adopts a network based technique. An important requirement of an IPS is that legitimate traffic should be forwarded to the recipient with no apparent disruption or delay of service. Hence, the performance of the proposed architecture has been evaluated in terms of impact that its operation has on the QoS experienced by the VoIP users.

Architectures for Bit-Split String Scanning in Intrusion Detection

Abstract: String matching is a critical element of modern intrusion detection systems because it lets a system make decisions based not just on headers, but actual content flowing through the network. Through careful codesign and optimization of an architecture with a new string matching algorithm, the authors show it is possible to build a system that is almost 12 times more efficient than the currently best known approaches

Towards software-based signature detection for intrusion prevention on the network card

Abstract: CardGuard is a signature detection system for intrusion detection and prevention that scans the entire payload of packets for suspicious patterns and is implemented in software on a network card equiped with an Intel IXP1200 network processor. One card can be used to protect either a single host, or a small group of machines connected to a switch. CardGuard is non-intrusive in the sense that no cycles of the host CPUs are used for intrusion detection and the system operates at Fast Ethernet link rate. TCP flows are first reconstructed before they are scanned with the Aho-Corasick algorithm.

Agent-Based approach for distributed intrusion detection system design

Abstract: The aim of this paper is to propose an architecture of distributed Intrusion Detection System (IDS) It is assumed that IDS system will detect and track dissemination and activity of the Internet worms A general architecture for such a distributed multiagent system is proposed and the tasks, techniques and algorithms to be used are sketched

Distributed Intrusion Detection System

Abstract: Intrusion Detection system (IDS) is able to real time detect,respond and protect the information system. In view of old IDS's disadvantages such as single-system structure,ineffectiveness of collaborative mechanism and IDS single points of failure,this paper develops a distributed intrusion detection system as a solution to the above problems.

Data Mining for Cyber Security

Abstract: Summary. This chapter provides an overview of the Minnesota Intrusion Detection System (MINDS), which uses a suite of data mining based algorithms to address difierent aspects of cyber security. The various components of MINDS such as the scan detector, anomaly detector and the proflling module detect difierent types of attacks and intrusions on a computer network. The scan detector aims at detecting scans which are the percusors to any network attack. The anomaly detection algorithm is very efiective in detecting behavioral anomalies in the network tra‐c which typically translate to malicious activities such as denial-of-service (DoS) tra‐c, worms, policy violations and inside abuse. The proflling module helps a network analyst to understand the characteristics of the network tra‐c and detect any deviations from the normal proflle. Our analysis shows that the intrusions detected by MINDS are complementary to those of traditional signature based systems, such as SNORT, which implies that they both can be combined to increase overall attack coverage. MINDS has shown great operational success in detecting network intrusions in two live deployments at the University of Minnesota and as a part of the Interrogator architecture at the US Army Research Labs Center for Intrusion Monitoring and Protection (ARL-CIMP). The conventional approach to securing computer systems against cyber threats is to design mechanisms such as flrewalls, authentication tools, and virtual private networks that create a protective shield. However, these mechanisms almost always have vulnerabilities. They cannot ward ofi attacks that are continually being adapted to exploit system weaknesses, which are often caused by careless design and implementation ∞aws. This has created the need for intrusion detection [6], security technology that complements conventional security approaches by monitoring systems and identifying computer attacks. Traditional intrusion detection methods are based on human experts’ extensive knowledge of attack signatures which are character strings in a messages payload

Specification-Based Intrusion Detection in WLANs

Abstract: Wireless networking technologies based on the IEEE 802.11 series of standards fail to authenticate management frames and network card addresses and suffer from serious vulnerabilities that may lead to denial of service, session hijacking, and address masquerading attacks. In this paper, we describe and implement a specification-based intrusion detection system for IEEE 802.11 wireless infrastructure networks, which not only provides attack detection, but also implements policy compliance monitoring. The specification used by our intrusion detection system is derived from network protocol state transition models and site security policy constraints. We also perform an experimental and comparative analysis of the technique to assess its effectiveness. The results indicate that the approach is superior at successfully detecting a greater variety of attacks than other existing approaches.

DoS Attacks Intelligent Detection using Neural Networks

Abstract: The potential damage to computer networks keeps increasing due to a growing reliance on the Internet and more extensive connectivity. Intrusion detection systems (IDSs) have become an essential component of computer security to detect attacks that occur despite the best preventative measures. A problem with current intrusion detection systems is that they have many false positive and false negative events. Most of the existing Intrusion detection systems implemented nowadays depend on rule-based expert systems where new attacks are not detectable. In this paper, a possible application of Neural Networks is presented as a component of an intrusion detection system. An intrusion detection system called Denial of Service Intelligent Detection (DoSID) is developed. The type of Neural Network used to implement DoSID is feed forward which uses the backpropagation learning algorithm. The data used in training and testing is the data collected by Lincoln Labs at MIT for an intrusion detection system evaluation sponsored by the U.S. Defense Advanced Research Projects Agency (DARPA). Special features of connection records have been identified to be used in DoS (Denial-of-Service) attacks. Several experiments have been conducted to test the ability of the neural network to distinguish known and unknown attacks from normal traffic. Results show that normal traffic and know attacks are discovered 91% and 100% respectively. Also it has been shown in the final experiment that the false negative of the system has been reduced considerably.

Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks

Abstract: Current IEEE 802.11 wireless networks are vulnerable to session hijacking attacks as the existing standards fail to address the lack of authentication of management frames and network card addresses, and rely on loosely coupled state machines. Even the new WLAN security standard - IEEE 802.11i does not address these issues. In our previous work, we proposed two new techniques for improving detection of session hijacking attacks that are passive, computationally inexpensive, reliable, and have minimal impact on network performance. These techniques utilise unspoofable characteristics from the MAC protocol and the physical layer to enhance confidence in the intrusion detection process. This paper extends our earlier work and explores usability, robustness and accuracy of these intrusion detection techniques by applying them to eight distinct test scenarios. A correlation engine has also been introduced to maintain the false positives and false negatives at a manageable level. We also explore the process of selecting optimum thresholds for both detection techniques. For the purposes of our experiments, Snort-Wireless open source wireless intrusion detection system was extended to implement these new techniques and the correlation engine. Absence of any false negatives and low number of false positives in all eight test scenarios successfully demonstrated the effectiveness of the correlation engine and the accuracy of the detection techniques.

Method and system to detect and prevent computer network intrusion

Abstract: A method and system for detecting and preventing network intrusion by generating an intrusion signature formatted using an intrusion signature template, the signature for use with an intrusion engine that allows adding new and/or modifying existing intrusion signatures. A packet analysis engine samples packets on the network, analyzes the sampled packets, and recognizes suspicious packets generated by malicious code. An intrusion signature generator then generates an intrusion signature using the template, and the signature is imported into an intrusion engine, which uses it to block the suspicious packets. The template can be provided by a network administrator, and the signature can be imported into the intrusion engine with or without human intervention.

A Grid-based Intrusion Detection System

Abstract: This paper presents the problem of intrusion detection in grid environments. Current intrusion detection technology is limited in providing protection against the attacks that may violate the security of grids and we determine the requirements to identify them, propose a distributed grid-based intrusion detection system architecture, and show how it overcomes the limitations of current technology by integrating the detection of the typical host computer and network attacks with the detection of grid-specific attacks and user behavior anomalies.

Network Security on the Intrusion Detection System Level

Abstract: In the present security is an important factor of the network protection. Not only intrusion detection system but also intrusion prevention systems are created in order to the system failure due to a deliberate harm or a system intrusion is not occurred. The article deals with an analysis of the intrusion detection systems. The main goal is to point out an advantages and disadvantages of these systems and provide the overview of the possibilities which these systems offer. The article asset is the possibility to implement such a system to the network in its separate levels of the ISO/OSI layered model on the Department of Computers and Informatics of the Faculty of Electrotechnical Engineering and Informatics of the Technical University of Kosice. The main asset should be the network protection by using intrusion detection systems.

Securing the AODV protocol using specification-based intrusion detection

Abstract: This paper presents an implementation of an Intrusion Detection System (IDS) aiming to secure the AODV protocol designed for MANET. The IDS is designed as multiple static agents that run on a subset of the nodes in the network and executes a monitoring protocol that observes the process of route establishment. The monitoring protocol uses specification based intrusion detection to identify misuses to the routing messages. The IDS design is a correlation of previous work done in the field of MANET security. The IDS is implemented using ns-2 simulator and its ability to detect attacks was tested using previously devised attack scripts. Detailed specification for the runtime behavior of the AODV protocol was derived in the process of implementation

Adaptive intrusion detection for autonomic systems

Abstract: A system, method, and computer program product for adaptively identifying unauthorized intrusions in a networked data processing system. In accordance with the method of the present invention, an intrusion detection module receives system event data that may be utilized for intrusion detection. The received system event data is processed utilizing multiple intrusion detection techniques including at least one behavior-based intrusion detection technique to generate an intrusion detection result. In response to the intrusion detection result indicating an unauthorized intrusion, at least one knowledge-based intrusion detection corpus is updated utilizing the system event data. In a preferred embodiment, the intrusion detection system/method is implemented in a network data processing environment in which the knowledge-based intrusion detection corpus is communicatively accessible by multiple elements coupled to the networked data processing system. The method preferably includes issuing a network update to update knowledge-based intrusion detection corpora associated with the multiple elements included in the network.

Method and system for protecting communication networks from physically compromised communications

Abstract: A method and system for protecting a packet switched network from compromised communications due to a physical intrusion in the network are disclosed. The network includes at least one network element having a detection device operable to detect a possible physical intrusion in a data communication path connected to the network element. The method includes receiving a notification from the detection device that the detection device has identified a physical intrusion in the data communication path, generating an alert, and transmitting the alert over the packet switched network. The alert may include instructions on how to remediate the physical intrusion that can be automatically implemented by a given network-connected device or manually addressed by a network user or network administrator.

Towards self-healing systems: re-establishing trust in compromised systems

Abstract: Computer systems are subject to a range of attacks that can compromise their intended operations Conventional wisdom states that once a system has been compromised, the only way to recover is to format and reinstall In this work, we present methods to automatically recover or self-heal from a compromise We term the system an intrusion recovery system The design consists of a layered architecture in which the production system and intrusion recovery system run in separate isolated virtual machines The intrusion recovery system monitors the integrity of the production system and repairs state if a compromise is detected Additionally, a method is introduced to track the dynamic control flow graph of the production system guest kernel A prototype of the system was built and tested against a suite of rootkit attacks The system was able to recover from all attacks at a cost of about a 30% performance penalty

Dynamic network security system and control method thereof

Abstract: A dynamic network security system and a control method thereof in a router where an Intrusion Detection System (IDS) and a Voice over Internet Protocol Application Level Gateway (VoIP ALG) are integrated, system including: a VoIP ALG module for acquiring VoIP IP/port information of a counterpart unit in use for determining whether or not to perform intrusion detection on a packet received via VoIP signaling with the counterpart unit; an intrusion detection module for comparing the received packet with a preset intrusion detection log entry to perform intrusion detection on the received packet, and based on a result of the intrusion detection, determining whether or not to allow passage of the received packet; and an IP/port check module for checking VoIP IP/port information of the received packet according to the VoIP IP/port information of the counterpart unit provided from the VoIP ALG module to determine whether or not to perform the intrusion detection, and providing result information on the determination whether or not to perform the intrusion detection to the intrusion detection module.

SAID: a self-adaptive intrusion detection system in wireless sensor networks

Abstract: Intrusion Detection System (IDS) is usually regarded as the second secure defense of network. However, traditional IDS cannot be suitable to deploy in Wireless Sensor Networks (WSN) because of the nature of WSN (e.g. self-origination, resource-constraint, etc). In this paper, we propose a kind of three-logic-layer architecture of Intrusion Detection System (IDS)-SAID by employing the agent technology and thought of immune mechanism. It has two work modes: 1) active work mode to improve the effectiveness and intelligence for unknown attacks; 2) passive work mode to detect and defend known attacks. The basic functions of these three layers, intrusion response, evolution approach of agent and knowledge base are also presented in this paper. Furthermore, we take advantages of local intrusion detection system and distributive & cooperative intrusion detection system to have a tradeoff among the security of WSN and communication overhead. We also design three kinds of light-weight agents: monitor agents, decision agents and defense agents in order to reduce communication overhead, computation complexity and memory cost. The analysis and experiment result illustrate that SAID has nice properties to defend attacks, and suitable to deploy in WSN.

Hybrid intelligent systems for network security

Abstract: Society has grown to rely on Internet services, and the number of Internet users increases every day. As more and more users become connected to the network, the window of opportunity for malicious users to do their damage becomes very great and lucrative. The computer industry is combating the rising threat of malicious activity with new hardware and software products such as Intrusion Detection Systems, Intrusion Prevention Systems, and Firewalls. However, malicious users are constantly looking for ways to by-pass the security features of these products, and many times they will succeed. This paper describes a novel concept implemented for the purpose of computer and network security with hopes of using it to combat malicious user activity. A hybrid-intelligent system based on Bayesian Learning Networks and Self-Organizing Maps was created and used for classifying network and host based data collected within a Local Area Network. The KDD-CUP-99 data set was used to test this classification system, and the experimental results show that there is an advantage to using a hybrid system such as this because there was a significant improvement in classification accuracy compared to a non-hybrid Bayesian Learning approach when network-only data is used for classification.