scispace - formally typeset
Search or ask a question

Showing papers on "Intrusion detection system published in 1996"


Patent
08 Nov 1996
TL;DR: In this paper, the authors present a system and method for network surveillance and detection of attempted intrusions, or intrusions into the network and into computers connected to the network, which includes intrusion detection monitoring, real-time alert, logging of potential unauthorized activity, and incident progress analysis and reporting.
Abstract: This is a system and method for network surveillance and detection of attempted intrusions, or intrusions, into the network and into computers connected to the network. The System functions are: (A) intrusion detection monitoring, (B) real-time alert, (C) logging of potential unauthorized activity, and (D) incident progress analysis and reporting. Upon detection of any attempts to intrude, the System will initiate a log of all activity between the computer elements involved and send an alert to a monitoring console. When a log is initiated, the network continues to be monitored by a primary surveillance system. A secondary monitoring process is started which interrogates the activity log in real-time and sends additional alerts reporting the progress of the suspected intruder.

500 citations


Journal ArticleDOI
TL;DR: A computer system should provide confidentiality, integrity and assurance against denial of service, but due to increased connectivity, and the vast spectrum of financial possibilities that are opening up, more and more systems are subject to attack by intruders.
Abstract: A computer system should provide confidentiality, integrity and assurance against denial of service. However, due to increased connectivity (especially on the Internet), and the vast spectrum of financial possibilities that are opening up, more and more systems are subject to attack by intruders. These subversion attempts try to exploit flaws in the operating system as well as in application programs and have resulted in spectacular incidents like the Internet Worm incident of 1988 [12].

417 citations


Journal ArticleDOI
TL;DR: Cooperating security managers (CSM) is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data.
Abstract: The need for increased security measures in computer systems and networks is apparent through the frequent media accounts of computer system and network intrusions. One attempt at increasing security measures is in the area of intrusion detection packages. These packages use a variety of means to detect intrusive activities and have been applied to both individual computer systems and networks. Cooperating security managers (CSM) is one such package. Applied to a network, CSM is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data. In addition, it is designed to handle intrusions as opposed to simply detecting and reporting on them, resulting in a comprehensive approach to individual system and network intrusions. Tests of the initial prototype have shown the cooperative methodology to perform favourably.

250 citations


Journal ArticleDOI
TL;DR: The authors present the details of the methodology, including strategies for test-case selection and specific testing procedures, and an overview of the software platform that has been used to create user-simulation scripts for testing experiments.
Abstract: Intrusion detection systems (IDSs) attempt to identify unauthorized use, misuse, and abuse of computer systems. In response to the growth in the use and development of IDSs, the authors have developed a methodology for testing IDSs. The methodology consists of techniques from the field of software testing which they have adapted for the specific purpose of testing IDSs. They identify a set of general IDS performance objectives which is the basis for the methodology. They present the details of the methodology, including strategies for test-case selection and specific testing procedures. They include quantitative results from testing experiments on the Network Security Monitor (NSM), an IDS developed at UC Davis. They present an overview of the software platform that has been used to create user-simulation scripts for testing experiments. The platform consists of the UNIX tool expect and enhancements that they have developed, including mechanisms for concurrent scripts and a record-and-replay feature. They also provide background information on intrusions and IDSs to motivate their work.

197 citations


Journal ArticleDOI
TL;DR: The audit process gathers data about activity in the system and analyzes it to discover security violations or diagnose their cause and is usually called intrusion detection.
Abstract: —Authentication establishes the identity of one party to another. Most commonly authentication establishes the identity of a user to some part of the system, typically by means of a password. More generally, authentication can be computer-to-computer or process-toprocess and mutual in both directions. —Access control determines what one party will allow another to do with respect to resources and objects mediated by the former. Access control usually requires authentication as a prerequisite. —The audit process gathers data about activity in the system and analyzes it to discover security violations or diagnose their cause. Analysis can occur offline after the fact or online in real time. In the latter case, the process is usually called intrusion detection.

162 citations


Proceedings ArticleDOI
16 Sep 1996
TL;DR: The overall performance of the presented motion detection algorithms is shown to depend on the type of the pelwise temporal filter, and on the image features applied to it.
Abstract: Several pelwise motion detectors are reviewed in this paper. They are compared in the context of intrusion detection in indoor scenes. The presented motion detection algorithms are based on a pelwise detection of changes in the observed input frame with respect to a recursively updated background. The same global decision module is applied to the outputs of the respective pelwise change detectors. The overall performance is shown to depend on the type of the pelwise temporal filter, and on the image features applied to it.

55 citations


Proceedings Article
01 Jan 1996
TL;DR: The intrusion detection system AID is presented which provides new features for network and privacy oriented auditing, and a sophisticated real-time analysis using knowledge based techniques.
Abstract: Intrusion detection systems identify unauthorized use, misuse and abuse of computer systems. Some applications have shown that they are capable of detecting a large amount of security violations. The detection of network based attacks, however, has been solved insufficiently. In addition there are inaccessibilities concerning privacy of the monitored users. In this paper we present the intrusion detection system AID which provides new features for network and privacy oriented auditing, and a sophisticated real-time analysis using knowledge based techniques. The paper describes the objectives and the main features of the AID development.

48 citations



Mark Crosbie1, Bryn Dole1, Todd Ellis1, Ivan Krsul1, Eugene H. Spafford1 
01 Jan 1996
TL;DR: This manual gives a detailed technical description of the IDIOT intrusion detection system from the COAST Laboratory at Purdue University and is intended to help anyone who wishes to use, extend or test theIDIOT system.
Abstract: This manual gives a detailed technical description of the IDIOT intrusion detection system from the COAST Laboratory at Purdue University. It is intended to help anyone who wishes to use, extend or test the IDIOT system. Familiarity with security issues, and intrusion detection in particular, is assumed.

37 citations


Proceedings ArticleDOI
09 Dec 1996
TL;DR: This work presents and describes a case based reasoning approach to intrusion detection which alleviates some of the difficulties of current approaches.
Abstract: Recently there has been significant interest in applying artificial intelligence (AI) techniques to the intrusion detection problem. Attempts have been made to develop rule based and model based expert systems for intrusion detection. Although these systems have been useful for detecting intruders, they face difficulties in acquiring and representing the knowledge. We present and describe a case based reasoning approach to intrusion detection which alleviates some of the difficulties of current approaches.

36 citations


Journal ArticleDOI
TL;DR: An approach to intrusion detection which places the intrusion detection responsibility for users on the host which the user first accesses results in a load leveling for messages across the network and avoids the chokepoint which exists with centralized controllers.


Book ChapterDOI
15 Dec 1996
TL;DR: This paper introduces and describes an innovative modelling approach which utilises models that are synthesised through approximate calculations of user actions and extensive representation of knowledge about how to perform these actions.
Abstract: This paper introduces and describes an innovative modelling approach which utilises models that are synthesised through approximate calculations of user actions and extensive representation of knowledge about how to perform these actions. The Intention modelling approach is based on theories of cognitive and task modelling as well as on theories of intention, rational action and plan recognition. Intention Models (IMs) have been used in the detection of malicious attacks which usually do not consist of illegal actions, but of a set of actions individually acceptable to the system which at a higher level may form non acceptable task(s). A first effort at implementing these models for a real application was for the creation of the UII system, a research prototype for the detection of anomalous behaviour of network users obtained by reasoning about the characterisation of their intentions. It was developed as an autonomous module within SECURENET, a European funded programme that aims at defending open computer systems, employing advanced techniques and methodologies.

Proceedings ArticleDOI
02 Oct 1996
TL;DR: In this article, the authors discuss the sensor fusion approach taken to perform intelligent alarm analysis for the Advanced Exterior Sensor (AES), which is an intrusion detection and assessment system designed for wide area coverage, quick deployment, low false/nuisance alarm operation, and immediate visual assessment.
Abstract: The purpose of an intelligent alarm analysis system is to provide complete and manageable information to a central alarm station operator by applying alarm processing and fusion techniques to sensor information. The paper discusses the sensor fusion approach taken to perform intelligent alarm analysis for the Advanced Exterior Sensor (AES). The AES is an intrusion detection and assessment system designed for wide area coverage, quick deployment, low false/nuisance alarm operation, and immediate visual assessment. It combines three sensor technologies (visible, infrared, and millimeter wave radar) collocated on a compact and portable remote sensor module. The remote sensor module rotates at a rate of 1 revolution per second to detect and track motion and provide assessment in a continuous 360d field-of-regard. Sensor fusion techniques are used to correlate and integrate the track data from these three sensors into a single track for operator observation. Additional inputs to the fusion process include environmental data, knowledge of sensor performance under certain weather conditions, sensor priority, and recent operator feedback. A confidence value is assigned to the track as a result of the fusion process. This helps to reduce nuisance alarms and to increase operator confidence in the system while reducing the workload of the operator

Proceedings ArticleDOI
19 Jun 1996
TL;DR: The authors show how the basic role-based approach can be extended in the absence of information about the multidatabase keys (global IDs), and propose a strategy based on ranked role-sets that makes use of a semantic integration procedure based on neural networks to determine candidate global IDs.
Abstract: The role-set approach is a new conceptual framework for data integration in multidatabase systems that maintains the materialization autonomy of local database systems and provides users with more accurate information. The role-set approach presents the answer to a query as a set of relations where the distinct intersections between the relations correspond to the various roles played by an entity. The authors show how the basic role-based approach can be extended in the absence of information about the multidatabase keys (global IDs). They propose a strategy based on ranked role-sets that makes use of a semantic integration procedure based on neural networks to determine candidate global IDs. The data integration and query processing steps then produce a number of role-sets, ranked by the similarity of the candidate IDs.

Journal ArticleDOI
TL;DR: A data reduction method is presented that makes multivariate data analysis involved in intrusion detection more efficient and extracts, from the original data set, discriminating components that best characterize user behavior.

Book ChapterDOI
01 Jan 1996
TL;DR: A particularly well developed theory, rough set theory, is discussed and some potential applications to security problems are illustrated.
Abstract: Database mining can be defined as the process of mining for implicit, previously unknown, and potentially useful information from very large databases by efficient knowledge discovery techniques. Naturally such a process may open up new inference channels, detect new intrusion patterns, and raises new security problems. New security concern and research problems are addressed and identified. Finally a particularly well developed theory, rough set theory, is discussed and some potential applications to security problems are illustrated.

Proceedings Article
01 Jan 1996
TL;DR: The experiment shows that untrusted PC clients have ample intrusion possibilities, and that the vulnerabilities can be compensated by security features elsewhere in the system, while it is evident that several new security mechanisms must be added before a NetWare 3.12 system can be regarded as secure.
Abstract: This paper presents an intrusion experiment in which the target system was a Personal Computer network connected to a Novell NetWare 3.12 server. Undergraduate students with little security expertise and hardly any knowledge of the system served as attackers and were given the task of performing as many intrusions as possible. The objectives of the experiment were twofold: first, to learn more about how to gather and process data from intrusion experiments and to form a methodology applicable to a generic class of computer systems; and, second, to find out whether it is actually possible to create a secure system based on insecure PC workstations. This paper deals mainly with the latter objective, and investigates how and to what extent unevenly distributed security features, such as a “secure” file server with untrusted clients, affect overall system security. Furthermore, in experiments, as opposed to real life situations, it is possible to collect information about how the attacking process is carried out. Before the experiment, we anticipated that the attackers would create Trojan Horses on the clients to spoof other users during the login process, but we did not expect them to find as many serious vulnerabilities in the concept as they did. The experiment shows that untrusted PC clients have ample intrusion possibilities, and that the vulnerabilities can not be compensated by security features elsewhere in the system. Novell has undoubtedly spent more effort in securing the file server and its assets than in securing the clients in the system. This paper contains a summary of the security problems the attackers found, from which it is evident that several new security mechanisms must be added before a NetWare 3.12 system can be regarded as secure.

Proceedings ArticleDOI
21 Oct 1996
TL;DR: This paper describes the hardware platform necessary to implement a hardware implementation of a decentralized approach to intrusion detection and proposes an intrusion detection protocol which would be used by this hardware to communicate relevant intrusive activity events between heterogeneous systems connected in a network or internetwork.
Abstract: A number of intrusion detection systems have been developed to detect intrusive activity on individual hosts and networks. These systems rely almost exclusively on a software approach to intrusion detection analysis and response. In addition, the network systems developed apply a centralized approach to the detection of intrusive activity. The problems introduced by the's approach are twofold. First the centralization of these functions becomes untenable as the size of the network increases. However, the introduction of intermediate security systems increases the number of potential targets and introduces communication delays which are unacceptable for high bandwidth data transfers. Second, and more importantly, the combination of centralization and software implementation as an approach to network intrusion detection introduces a dangerous vulnerability. As intruders gain access to the system, they target the security software itself and the centralization ensures the compromise of the entire network. The solution to these problems is a hardware implementation of a decentralized approach to intrusion detection. This paper describes the hardware platform necessary to implement such a system. It also proposes an intrusion detection protocol which would be used by this hardware to communicate relevant intrusive activity events between heterogeneous systems connected in a network or internetwork. This work is based on the Cooperating Security Managers; a peer-based approach to intrusion detection developed at Texas A&M University.

Proceedings ArticleDOI
TL;DR: An image based object detection algorithm which is applied to intrusion detection is presented, characterized by very low computational and memory loads, high sensitivity to the presence of physical intruders and high robustness to slow and abrupt lighting changes.
Abstract: Keywords: LTS1 Reference LTS-ARTICLE-1996-004View record in Web of Science Record created on 2006-06-14, modified on 2016-08-08

Book ChapterDOI
24 Jun 1996
TL;DR: This paper describes a realistic intrusion experiment to investigate whether such experiments can yield data suitable for use in quantitative modelling of preventive security, which denotes the system's ability to protect itself from external intrusions.
Abstract: This paper describes a realistic intrusion experiment intended to investigate whether such experiments can yield data suitable for use in quantitative modelling of preventive security, which denotes the system's ability to protect itself from external intrusions. The target system was a network of Personal Computer clients connected to a server. A number of undergraduate students served as attackers and continuously reported relevant data with respect to their intrusion activities. This paper briefly describes the experiment and presents a compilation of all the types of data recorded. A first interpretation and classification of the data are made, and its possible use for modelling purposes is discussed. Summaries of breach parameters and a number of informtive diagrams and tables reflecting the intrusion process are presented.

Patent
24 Dec 1996
TL;DR: In this article, an optical intrusion detection system (OIDS) is proposed, which includes an electromagnetic radiation detector located within the chassis of a personal computer or the like, which sends a detection signal to a latching mechanism that latches the signal and maintains the signal even after the chassis is closed.
Abstract: An optical intrusion detection system includes an electromagnetic radiation detector located within the chassis of a personal computer or the like. The EM detector, such as a photodiode or phototransistor, detects EM radiation when the chassis is opened (allowing a person to modify or remove the contents thereof). The EM detector sends a detection signal to a latching mechanism that latches the signal and maintains the signal even after the chassis is closed. A detection component is provided which supplies the detection signal as a data signal to a network administrator terminal coupled to the personal computer where the optical intrusion detection system is installed. A feature of the detection system of the present invention is that intrusion into the chassis is detected silently and without alerting the individual opening the chassis.

Proceedings ArticleDOI
17 Sep 1996
TL;DR: The similarities between people’s health and the security of complex computer systems are explored and nature is looked to for help understanding the threats to computer systems and even find strategies for protecting against them.
Abstract: This paper explores the similarities between people’s health and the security of complex computer systems. The endless battle between threats to human health and our defense mechanisms has been going on for hundreds of thousands of years and has resulted in an extremely flexible set of protections. Our intrusion detection and immune systems are so good that most attacks go unnoticed. In other disciplines, looking to nature has proven extremely valuable. For example, in aviation, we have found many of the most efficient wing designs in birds and even whales. Perhaps we can look to nature for help understanding the threats to computer systems and even find strategies for protecting against them.

Patent
01 Aug 1996
TL;DR: In this paper, an apparatus for detecting intrusions into spaces of various kinds such as apartments, offices, lockers and the like by either authorized or unauthorized persons monitors a specific portal for intrusion occurrence events using an intrusion sensing unit, which communicates intrusion occurrence information to a remote, and possibly hidden monitor unit.
Abstract: An apparatus for detecting intrusions into spaces of various kinds such as apartments, offices, lockers, and the like by either authorized or unauthorized persons apparatus monitors a specific portal for intrusion occurrence events using an intrusion sensing unit, which communicates intrusion occurrence information to a remote, and possibly hidden monitor unit. The monitor dynamically counts the number of valid intrusion occurrence signals received from the sensing unit and stores the same in non-volatile memory. The number of intrusions stored in memory can be displayed on a display means at the monitor unit, which, in a simple embodiment would take the form of a single, seven segment light emitting diode (LED) display. In addition, the number of intrusions stored in the non-volatile memory can only be reset by the input of a unique, coded personal identification number (PIN) signal from an input keypad located on the monitor unit. More sophisticated embodiments incorporate date and time displays to indicate more specifically the events surrounding a particular intrusion occurrence. Even more sophisticated embodiments incorporate a primer for producing a hardcopy of intrusion occurrence information.


Proceedings ArticleDOI
15 Apr 1996
TL;DR: Describes the data communication platform (DC platform) in a distributed operations system based on TMN (telecommunications management network), and proposes that the state of association to be expressed by standard state attributes.
Abstract: Describes the data communication platform (DC platform) in a distributed operations system based on TMN (telecommunications management network). Our operations system has a load-share/function-share structure, and is composed of a large number of application servers and communication servers using commercially available workstations interconnected through a duplicated high-speed LAN for high reliability, availability, serviceability, and expandable. Because of the large scale of the supervised networks, one feature of our operations system (OpS) is the use of a discriminator managed object (MO) for each association implemented in the network element (NE) so as to reduce the number of less important event-reports from one NE. However, the OpS has several manager applications (AP), and if they establish associations to the same NE one by one, it overloads the discriminating process. Thus, we devised a scheme for the sharing of an association by several manager APs. This scheme raises three issues: assigning invoke IDs, delivering notifications, and managing associations. The first issue is the system for composing invoke IDs that makes it possible to assign IDs that are unique system-wide. The second issue is a filtering system that can deliver an event-report from an NE to correct manager AP. The third issue is the management of associations; we propose that the state of association to be expressed by standard state attributes. Moreover, to unify the interface with the NE, we propose that the association interface be an MO.

Book ChapterDOI
24 Jun 1996
TL;DR: It is shown how dealing with uncertainty can allow the system to detect the abnormality in the user behavior more efficiently and be able to deal with uncertainty in Intrusion Detection Systems.
Abstract: Intrusion Detection Systems (IDS) have previously been built by hand. These systems have difficulty successfully classifying intruders, and require a significant amount of computational overhead making it difficult to create robust real-time IDS systems. Artificial Intelligence techniques can reduce the human effort required to build these systems and can improve their performance. AI has recently been used in Intrusion Detection (ID) for anomaly detection, data reduction and induction, or discovery, of rules explaining audit data [1]. This paper proposes the application of evidential reasoning for dealing with uncertainty in Intrusion Detection Systems. We show how dealing with uncertainty can allow the system to detect the abnormality in the user behavior more efficiently.

Proceedings ArticleDOI
TL;DR: The Network Intrusion Detector (NID), designed to monitor and analyze activity on the Ethernet broadcast Local Area Network segment and product transcripts of suspicious user connections, is described.
Abstract: This paper describes our technical approach to developing and delivering Unix host- and network-based security products to meet the increasing challenges in information security. Today`s global ``Infosphere`` presents us with a networked environment that knows no geographical, national, or temporal boundaries, and no ownership, laws, or identity cards. This seamless aggregation of computers, networks, databases, applications, and the like store, transmit, and process information. This information is now recognized as an asset to governments, corporations, and individuals alike. This information must be protected from misuse. The Security Profile Inspector (SPI) performs static analyses of Unix-based clients and servers to check on their security configuration. SPI`s broad range of security tests and flexible usage options support the needs of novice and expert system administrators alike. SPI`s use within the Department of Energy and Department of Defense has resulted in more secure systems, less vulnerable to hostile intentions. Host-based information protection techniques and tools must also be supported by network-based capabilities. Our experience shows that a weak link in a network of clients and servers presents itself sooner or later, and can be more readily identified by dynamic intrusion detection techniques and tools. The Network Intrusion Detector (NID) is one such tool. NID is designed to monitor and analyze activity on an Ethernet broadcast Local Area Network segment and produce transcripts of suspicious user connections. NID`s retrospective and real-time modes have proven invaluable to security officers faced with ongoing attacks to their systems and networks.

01 Mar 1996
TL;DR: In this article, the authors described the theory and development of an ultrawideband (UWB) electronic scanning radar (ESR) using a linear array of 10 microwave sources for intrusion detection application.
Abstract: : This report describes the theory and development of an ultrawideband (UWB) electronic scanning radar (ESR) using a linear array of 10 microwave sources for intrusion detection application. Each source produces a 1 kW peak S band pulse having a duration of 1 ns. At boresight, the array produces an effective radiated power (erp) of 100 kW because the voltages of the individual sources add coherently in the far field. In addition to the ESR feature, a new algorithm was developed having the constant false alarm rate (CFAR) tunnel diode receiver threshold on noise and ground clutter. To reduce false alarms and improve detection and identification of crawlers, walkers, runners, and animal and vehicle targets, a new signal processing scheme employing a leading edge filter (LEF), in combination with neural network processing concepts, have been successfully developed. And by training neural networks to recognize these signatures, the results show promise for future use in other UWB systems. A primary advantage of the UWB ESR radar is low cost. It is estimated that the cost of this type of system is less than 1110 of comparable conventional radar ESR systems. Efforts to commercially exploit this technique are in progress.

Proceedings ArticleDOI
01 Sep 1996
TL;DR: Several operational issues that should be addressed in order to use an IDS effectively are discussed, and applying these tips can help keep the IDS operating at peak performance.
Abstract: The installation of a new intrusion detection system (IDS) is, of course, expected to improve site security. However, depending upon the way the system is used, it can, over time, actually degrade security. Proper use, control, and maintenance of the IDS is critical if site security is to be maintained. This paper discusses several operational issues that should be addressed in order to use an IDS effectively. Several anecdotes from the author's experience are given to illustrate proper and improper use of an IDS. Improper operational use of an IDS can render it ineffective. Applying these tips can help keep the IDS operating at peak performance