Showing papers on "Intrusion detection system published in 1992"

A neural network component for an intrusion detection system

Abstract: An approach toward user behavior modeling that takes advantage of the properties of neural algorithms is described, and results obtained on preliminary testing of the approach are presented. The basis of the approach is the IDES (Intruder Detection Expert System) which has two components, an expert system looking for evidence of attacks on known vulnerabilities of the system and a statistical model of the behavior of a user on the computer system under surveillance. This model learns the habits a user has when he works with the computer, and raises warnings when the current behavior is not consistent with the previously learned patterns. The authors suggest the time series approach to add broader scope to the model. They therefore feel the need for alternative techniques and introduce the use of a neural network component for modeling user's behavior as a component for the intrusion detection system. >

Pattern-oriented intrusion-detection system and method

Abstract: The present invention provides a pattern-oriented intrusion detection system and method that defines patterns of intrusion based on object privilege and information flow in secure computer systems to detect actual intrusion occurrences. This approach has the advantage of detecting context-dependent intrusions such as those caused by inadvertent execution of foreign programs containing viruses or Trojan Horses and also those caused by unintended use of foreign input data. The present invention can track both information and privilege flows within a system, and has the ability to uniformly define various types of intrusion patterns. Operational security problems can lead to intrusion in secure computer systems. With this approach, explicitly defined types of intrusion patterns due to operational security problems can be detected.

An application of a recurrent network to an intrusion detection system

Abstract: The authors present an application of recurrent neural networks for intrusion detection. A partially recurrent network has been chosen for this particular application. The neural network acts as a data filter that highlights anomalous or suspicious data according to previously learned patterns. It has proven adaptive, because the same results for several users have been obtained with varying activities. The network cosine function was tested, and a hetero-associative version of the network was used to analyze the flipflop problem. >

Automatically adjustable and self-testing dual technology intrusion detection system for minimizing false alarms

Abstract: A dual sensor intrusion detection system utilizes adaptive sensor detection techniques to reduce false alarms. The adaptive sensor detection techniques include increasing the stability of one sensor after the other sensor continuously detects motion without confirmation by the first sensor

Foundations of intrusion detection (computer security)

Abstract: Computer use is modeled as a mixture of two stochastic processes, normal and misuse. Intrusion detection is formally defined as identifying those transactions generated by the misuse process. Bounds for detection performance are derived in terms of the ratios of the densities of the processes at the individual transactions. It is shown that any optimal intrusion detection system must rank transaction suspicion consistently with these ratios. Sparsity of data requires that transactions be grouped into equivalence classes that preserve the order of the true ratio ranking and reduce the number of singleton and unobserved transactions. Results are described that demonstrate that in general this 'singleton reduction' problem is NP-hard. >

Intrusion detection device

Abstract: Intrusion detection apparatus including a microwave transmitter comprising a generally unshielded dielectric resonating oscillator, whose parasitic field is radiated within a volume and Doppler detection apparatus for sensing received Doppler signals reflected by a moving object within the volume.

Intrusion detection system

Abstract: A self correcting infrared intrusion detection system (30) primarily for elevator doors establishes multiple through-beams (44) to intelligently detect passengers and adjust for environmental changes. Beam patterns are monitored by software that differentiates between intrusions and malfunctions and adjusts itself automatically when hardware partially fails in the absence of an intrusion. The system automatically chooses and executes two different door-width sensing routines. A plurality of spaced apart transmitter stations (43) mounted vertically apart in one door faces a plurality of spaced apart, receiver stations (45) mounted in the other door. Each transmitter station periodically radiates modulated light towards the receivers in the opposite door. A main control circuit monitors all receivers (45), controls all the transmitters (43), and executes the software. The presence or absence of a Shepherd beam established diagonally between the doors determines whether the system executes a "long beam" pattern when the doors are far apart or a "short beam" pattern when the doors are closer together. Gate networks can be jumpered to variably configure the transmitters and receivers. The software adjusts for broken parts or semi-permanently interrupted beams by automatically marking out inoperative pathways, thus enabling the system to continue functioning with alternative beam sequences evolved on the job. Marked out beams are periodically re established by the software. Diagnostic indicators monitor blocked beams to warn service personnel.

IDA-intrusion detection alert

Abstract: The author provides an overview of the IDA (intrusion detection alert) knowledge-based system project. This project involves the development of a prototype knowledge based system to analyze mainframe security audit trail data. Various aspects of the IDA knowledge-based system prototyping effort, including project management, design, and development are discussed. Highlights of IDA features are described. The use of knowledge based system technology to address the increased importance of securing corporate data and information systems, a critical and valuable company asset, is the primary focus. >

NADIR: A prototype system for detecting network and file system abuse

Abstract: This paper describes the design of a prototype computer misuse detection system for the Los Alamos Notional Laboratory`s Integrated Computing Network (ICN). This automated expert system, the Network Anomaly Detection and Intrusion Reporter (NADIR), streamlines and supplements the manual audit record review traditionally performed by security auditors. NADIR compares network activity, as summarized in weekly profiles of individual users and the ICN as a whole, against expert rules that define security policy, improper or suspicious behavior, and normal user activity. NADIR reports suspicious behavior to security auditors and provides tools to aid in follow-up investigations. This paper describes analysis by NADIR of two types of ICN activity: user authentication and access control, and mass file storage. It highlights system design issues of data handling, exploiting existing auditing systems, and performing audit analysis at the network level.

AI research and applications in Digital's service organization

Abstract: The Digital Services Research Group and its predecessor groups and offshoots in Digital Equipment Corporation have been mobilizing leading-edge AI research to bear on real-life problems that face the corporation and its customers. The general strategy of the group is to explore emerging techniques relevant to service and support needs through developing rapid prototypes, deploying these prototypes, and incorporating feedback from users. With over 32 major projects undertaken during the past decade, we have worked on broad spectrum of problems and explored a variety of advanced AI techniques. This article describes the current AI activities in five areas: (1) enterprise advisory systems, (2) natural language processing and textual information retrieval, (3) largescale knowledge base management and access, (4) software configuration management, and (5) intrusion detection. We also list some future research directions.

Technical evaluation of rapid deployment and re-deployable intrusion detection systems (RDIDS/RIDS)

Abstract: The rapid deployment and redeployable intrusion detection systems (RDIDS/RIDS) were extensively tested in 1988 at the NASA Space Center in Cape Kennedy, Florida A brief history of the testing is given The pulsed infrared system is integrated with a radio frequency (RF) transmitter operating in the VHF and UHF frequencies, powered by a battery backup photovoltaic energy system The system was exposed to severe climatic changes throughout the test period During the test period the system did not generate any false alarms It was unaffected by high waves, high winds, small birds, leaves, or partial shielding of one sensor by foliage However, the system did alarm when pelicans flew through the IR beam with outstretched wings perpendicular to the IR beam, covering more than 90% of the beam A solution to this problem is described The latest photovoltaic power system developed for use with the RDIDS and the telemetry portion of the RDIDS are outlined >

Intrusion detection device

Abstract: PURPOSE:To flexible cope with the extension and reconstruction of a building and to facilitate the construction and maintenance by propagating laser light at the periphery of an intrusion monitor area, and judging whether or not there is an intrusion and its position from whether or not the laser light extracted by respective optical units is present or not. CONSTITUTION:The laser light outputted by a laser oscillator 40 is propagated at the periphery of the building 1 through plural reflection units 10-1, 10-2, 20-1, and 20-2. The laser light in this state which is cut off by an intruder is judged by a laser photodetector 41 and an intrusion judging circuit 44 to decide the intrusion and its position. Consequently, even when the building is extended or reconstructed, that can flexibly be coped with, the construction and maintenance are facilitated, and the cost is reduced, thereby realizing high-reliability intrusion detection.

The Remote Security Station (RSS) final report

Abstract: The Remote Security Station (RSS) was developed by Sandia National Laboratories for the Defense Nuclear Agency to investigate issues pertaining to robotics and sensor fusion in physical security systems. This final report documents the status of the RSS program at its completion in April 1992. The RSS system consists of the Man Portable Security Station (MaPSS) and the Telemanaged Mobile Security Station (TMSS), which are integrated by the Operator`s Control Unit (OCU) into a flexible exterior perimeter security system. The RSS system uses optical, infrared, microwave, and acoustic intrusion detection sensors in conjunction with sensor fusion techniques to increase the probability of detection and to decrease the nuisance alarm rate of the system. Major improvements to the system developed during the final year are an autonomous patrol capability, which allows TMSS to execute security patrols with limited operator interaction, and a neural network approach to sensor fusion, which significantly improves the system`s ability to filter out nuisance alarms due to adverse weather conditions.

Fusion of ultrasonic and infrared signatures for personnel detection by a mobile robot

Abstract: Passive Infrared sensors used for intrusion detection, especially those used on mobile robots, are vulnerable to false alarms caused by clutter objects such as radiators, steam pipes, windows, etc., as well as deliberately caused false alarms caused by decoy objects. To overcome these sources of false alarms, we are now combining thermal and ultrasonic signals, the results being a more robust system for detecting personnel. Our paper will discuss the fusion strategies used for combining sensor information. Our first strategy uses a statistical classifier using features such as the sonar cross-section, the received thermal energy, and ultrasonic range. Our second strategy uses s 3-layered neural classifier trained by backpropagation. The probability of correct classification and the false alarm rate for both strategies will be presented in the paper.

An Application of a Recurrent Network to an Intrusion Detection System

Abstract: We present an application of recurrent neural networks for intrusion detection. Such algorithms have been widely studied for time series prediction. Due to the characteristics of the temporal series that we consider, we have chosen a partially recurrent network for our application. After a description of the reactions of the network on classical problems, we present a prototype that we use to demonstrate the capability of neural nets in the field of intrusion detection. I" The application we present here is related to intrusion detection. This topic belongs to the field of computer security. There are three kinds of computer security applications: access control mechanisms, intrusion detections systems, and restoration procedures. The first domain deals with ensuring that the user is the one he claims to be and is a registered person. It mainly deals with cryptography and access control. The third one deals with restoring the system to a working state after damages (physical or logical) have occured. Both domains have been studied and have machine implementation on almost all operating systems. The second field is fairly new. In fact, research on intrusion detection started about 1985. Today's computers and networks are so complex that it is impossible to rely fully on access control to ensure a system is secure. There are always flaws in the operating system or errors in the human administration. As a result, there are weak points through which a hacker can enter any system and do much damage. Therefore, there is the need for a tool that would detect intruders, explain where they came from and how they did. Generally, such tools have two components [Denning85]. The first one is an expert system that gathers in its knowledge base the description of the intrusions scenarios that have occured on the system under surveillance (or on similar systems). The other is a model of behavior that detects changes in the behavior either of the system itself or of its usefs. The underlying hypothesis is that somebody doing a daily or weekly regular job on a computer has habits. If he tries to hack the computer (insider's attack) or if somebody else logs under his name (masquerade), the resulting behavior patterns will be much different from the one previously observed and modelled. In this paper, we will focus on the model of behavior, and we decided to use neural networks for this model. We first present the problem, then justify the choice of a recurrent neural network. We then describe the architecture of the net and its behavior on classical examples, and finally display some results obtained with the application. The data we get for our model comes from the various auditing mechanisms provided on each operating system, for example the UNIX log files that support our tests. This model concems not only the mainframe environment itself, and the attitude of the user towards it, but also the surrounding communication network. The data is considered as a continuous sequential ordered stream of events. These events, in our case, are the commands submitted by the user, along with their qualifiers. There are two types of data: numerical bounded values, for example the cpu usage or memory size, and discrete values, for example the name of the command or the name of the files accessed. These values are combined into a vector. We so obtain a multivariate time series that we want to study. On this time series, we formulate three hypothesis. In order to teach it, we need it to be cyclic or pseudo-periodic, or at least to exhibit empirical regularities. We also state that each of the variables of the vector follows a law, either deterministic, stochastic or a mixture of both. This law cannot generally be expressed in an analytical way or