Showing papers on "Intrusion detection system published in 1997"

Adaptive Fraud Detection

Abstract: One method for detecting fraud is to check for suspicious changes in user behavior. This paper describes the automatic design of user profiling methods for the purpose of fraud detection, using a series of data mining techniques. Specifically, we use a rule-learning program to uncover indicators of fraudulent behavior from a large database of customer transactions. Then the indicators are used to create a set of monitors, which profile legitimate customer behavior and indicate anomalies. Finally, the outputs of the monitors are used as features in a system that learns to combine evidence to generate high-confidence alarms. The system has been applied to the problem of detecting cellular cloning fraud based on a database of call records. Experiments indicate that this automatic approach performs better than hand-crafted methods for detecting fraud. Furthermore, this approach can adapt to the changing conditions typical of fraud detection environments.

Intrusion Detection with Neural Networks

Abstract: With the rapid expansion of computer networks during the past few years, security has become a crucial issue for modern computer systems. A good way to detect illegitimate use is through monitoring unusual user activity. Methods of intrusion detection based on hand-coded rule sets or predicting commands on-line are laborous to build or not very reliable. This paper proposes a new way of applying neural networks to detect intrusions. We believe that a user leaves a 'print' when using the system; a neural network can be used to learn this print and identify each user much like detectives use thumbprints to place people at crime scenes. If a user's behavior does not match his/her print, the system administrator can be alerted of a possible security breech. A backpropagation neural network called NNID (Neural Network Intrusion Detector) was trained in the identification task and tested experimentally on a system of 10 users. The system was 96% accurate in detecting unusual activity, with 7% false alarm rate. These results suggest that learning user profiles is an effective way for detecting intrusions.

DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype

Abstract: Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The proliferation of heterogeneous computer networks provides additional implications for the intrusion detection problem. Namely, the increased connectivity of computer systems gives greater access to outsiders, and makes it easier for intruders to avoid detection. IDS’s are based on the belief that an intruder’s behavior will be noticeably different from that of a legitimate user. We are designing and implementing a prototype Distributed Intrusion Detection System (DIDS) that combines distributed monitoring and data reduction (through individual host and LAN monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous network of computers. This approach is unique among current IDS’s. A main problem considered in this paper is the Network-user Identification problem, which is concerned with tracking a user moving across the network, possibly with a new user-id on each computer. Initial system prototypes have provided quite favorable results on this problem and the detection of attacks on a network. This paper provides an overview of the motivation behind DIDS, the system architecture and capabilities, and a discussion of the early prototype.

Execution monitoring of security-critical programs in distributed systems: a specification-based approach

Abstract: We describe a specification-based approach to detect exploitations of vulnerabilities in security-critical programs. The approach utilizes security specifications that describe the intended behavior of programs and scans audit trails for operations that are in violation of the specifications. We developed a formal framework for specifying the security-relevant behavior of programs, on which we based the design and implementation of a real-time intrusion detection system for a distributed system. Also, we wrote security specifications for 15 Unix setuid root programs. Our system detects attacks caused by monitored programs, including security violations caused by improper synchronization in distributed programs. Our approach encompasses attacks that exploit previously unknown vulnerabilities in security-critical programs.

Learning Patterns from Unix Process Execution Traces for Intrusion Detection

Abstract: In this paper we describe our preliminary experiments to extend the work pioneered by Forrest (see Forrest et al. 1996) on learning the (normal abnormal) patterns of Unix processes. These patterns can be used to identify misuses of and intrusions in Unix systems. We formulated machine learning tasks on operating system call sequences of normal and abnormal (intrusion) executions of the Unix sendmail program. We show that our methods can accurately distinguish all abnormal executions of sendmail from the normal ones provided in a set of test traces. These preliminary results indicate that machine learning can play an important role by generalizing stored sequence information to perhaps provide broader intrusion detection services. The experiments also reveal some interesting and challenging problems for future research. much effort has been devoted to the problem of detecting intrusions as quickly as possible. There are two basic approaches to intrusion detection: ¯ Misuse Intrusion Detection: known patterns of (past

Networked workstation intrusion detection system

Abstract: During pre-boot (i.e., the period of time prior to initiating operation of the workstation operating system), a networked workstation performs an intrusion detection hashing function on selected workstation executable program(s). A computed hash value calculated by the hashing operation is compared against a trusted hash value that is downloaded from a server in order to detect illicit (i.e., authorized) changes to the selected workstation executable programs.

JAM: java agents for meta-learning over distributed databases

Abstract: In this paper, we describe the JAM system, a distributed, scalable and portable agent-based data mining system that employs a general approach to scaling data mining applications that we call meta-learning. JAM provides a set of learning programs, implemented either as JAVA applets or applications, that compute models over data stored locally at a site. JAM also provides a set of meta-learning agents for combining multiple models that were learned (perhaps) at different sites. It employs a special distribution mechanism which allows the migration of the derived models or classifier agents to other remote sites. We describe the overall architecture of the JAM system and the specific implementation currently under development at Columbia University. One of JAM's target applications is fraud and intrusion detection in financial information systems. A brief description of this learning task and JAM's applicability are also described. Interested users may download JAM from http://www.cs.columbia.edu/~sal/JAM/PROJECT.

How to systematically classify computer security intrusions

Abstract: This paper presents a classification of intrusions with respect to the technique as well the result. The taxonomy is intended to be a step on the road to an established taxonomy of intrusions for use in incident reporting, statistics, warning bulletins, intrusion detection systems etc. Unlike previous schemes, it takes the viewpoint of the system owner and should therefore be suitable to a wider community than that of system developers and vendors only. It is based on data from a realistic intrusion experiment, a fact that supports the practical applicability of the scheme. The paper also discusses general aspects of classification, and introduces a concept called dimension. After having made a broad survey of previous work in the field, we decided to base our classification of intrusion techniques on a scheme proposed by Neumann and Parker (1989) and to further refine relevant parts of their scheme. Our classification of intrusion results is derived from the traditional three aspects of computer security: confidentiality, availability and integrity.

Intrusion detection via system call traces

Abstract: Unusual behavior in computer systems can be detected by monitoring the system calls being executed by programs. Analysis of the temporal ordering of these calls reveals that such anomalies are localized within traces and that normal program behavior can be described compactly using deterministic finite automata. This article presents preliminary work in analyzing system call traces, particularly their structure during normal and anomalous behavior.

Pyroelectric intrusion detection in motor vehicles

Abstract: Pyroelectric detector systems may be used in vehicles for security applications, such as intrusion detection and anti-theft alarms. The pyroelectric detectors are small in size, highly reliable and consume very low power. They can be physically and electrically integrated with other vehicle components, including rear-view mirror assemblies in automobiles, without incurring additional installation costs. They can also be easily integrated into aircraft cockpits.

Implementing a Generalized Tool for Network Monitoring

Abstract: Determining how you were attacked is essential to developing a response or countermeasure. Usually, a system or network manager presented with a successful intrusion has very little information with which to work: a possibly corrupted system log, a firewall log, and perhaps some tcpdump output. When hackers come up with a new technique for cracking a network, it often takes the security community a while to determine the method being used. In aviation, an aircraft’s ‘‘black box’’1 is used to analyze the details of a crash. We believe a similar capability is needed for networks. Being able to quickly learn how an attack works will shorten the effective useful lifetime of the attack. Additionally, the recovered attack records may be helpful in tracking or prosecuting the attacker. Since we’ve developed a general purpose statistics-gathering system, we believe it will be useful for more than just security. For example, a network manager may desire an historical record of the usage growth of certain applications, or details about the breakdown of types of traffic at different times of day. Such records will provide useful information for network managers in diagnosing performance problems or planning growth. This paper describes an architecture and toolkit for building network traffic analysis and statistical event records: The Network Flight Recorder. The NFR uses a promiscuous packet interface to pass visible traffic into an internally meta-programmed decision engine which routes information about packets and their contents into statistical or logging backends. In addition to packet analysis and collection, the NFR’s internal architecture permits network managers to sample interesting portions of network traffic for logging or statistical analysis. The NFR programming language is simple, but powerful enough that you can perform reasonable analysis on traffic before choosing to record it. For example, you might analyze SMTP transactions but only choose to record those relating to a user who is sending spam or abusive E-mail. The analysis language includes a capability for generating alert messages which the rest of the system queues, multiplexes, and delivers. A simplified hyper-query interface allows extensive browsing of the NFR’s stored datasets and statistics from any Java-enabled browser. The NFR is currently being deployed at a number of ISPs and commercial sites, and is available for download in source code form from www.nfr.net.2 Background and Motivation In 1990, one of the authors managed a rather chaotic network, including an embryonic firewall, using NNStat as a security tool. NNStat [1] was designed as a statistical analysis system for the NSFnet backbone, not as a security tool, but possessed several attractive properties: 1. It permits accurate and highly condensed summaries of an event on the network. 2. It permits flexible specification of types of events to record. 3. It permits flexible storage of information about the events that are observed. 1They are actually Safety Orange. 2Use of the NFR software is free for noncommercial and research purposes. A commercial release of the software is being developed. While NNStat’s authors were concerned about, for example, how much RIP traffic was crossing the network, a security conscious network manager could use NNStat to record all RIP traffic emanating from any systems that were not on an ‘‘approved list’’ of routers. Suddenly, NNStat was useful as a crude tool for mapping who and what, as well as for setting an alert to fire when something happened that the network manager believed should not. NNStat, wrapped with a bunch of quick and dirty shell scripts and cron jobs, served well as a poor man’s intrusion detection system. Other network managers have implemented similar systems using tcpdump, or more sophisticated special-purpose network watchers like ARPwatch [2], TCPwatch [3], Netman [4], clog [5], Netwatch [6], and Argus [7]. Other intrusion detection burglar alarms have focused on features of the host operating system, such as tcp_wrappers [8], klaxon [9], and tocsin [10]. Many of the monitoring systems implemen1997 LISA XI – October 26-31, 1997 – San Diego, CA 1 Implementing a Generalized Tool for Network Monitoring Ranum, et al. ted in the past contain features found in NFR. We believe that the new ground the NFR breaks is by making the filtering and analysis process internally programmed, rather than static-coded into the monitoring application. NFR is intellectually evolved from NNStat, but includes a more generalized and powerful filtering language, as well as the ability to trigger alerts and log complete packet information. A triggering specification lets data be selected from reassembled TCP sessions, providing a powerful capability for usage measurement as well as audit. The authors intend to use NFR as a platform for exploring auditing and logging, while simultaneously providing a freely available, high quality data source for researchers working on intrusion detection. Overview of the NFR Architecture The architecture of NFR was designed as a set of components, each tailored to a specific activity. Data is gathered by one or more packet suckers, forwarded to the decision engine for filtering and reassembly, and possibly recorded to a backend for storage or statistical processing. The query interface is kept completely separate from the input data flow to minimize the performance impact of a user’s querying the system while it is collecting data.

IDAMN: an intrusion detection architecture for mobile networks

Abstract: We present IDAMN (intrusion detection architecture for mobile networks), a distributed system whose main functionality is to track and detect mobile intruders in real time. IDAMN includes two algorithms which model the behavior of users in terms of both telephony activity and migration pattern. The main novelty of our architecture is its ability to perform intrusion detection in the visited location and within the duration of a typical call, as opposed to existing designs that require the reporting of all call data to the home location in order to perform the actual detection. The algorithms and the components of IDAMN have been designed in order to minimize the overhead incurred in the fixed part of the cellular network.

A software platform for testing intrusion detection systems

Abstract: Intrusion detection systems monitor system activities to identify unauthorized use, misuse, or abuse. IDSs offer a defense when your system's vulnerabilities are exploited and do so without requiring you to replace expensive equipment. The steady growth in research on intrusion detection systems has created a demand for tools and methods to test their effectiveness. The authors have developed a software platform that both simulates intrusions and supports their systematic methodology for IDS testing.

On a pattern-oriented model for intrusion detection

Abstract: Operational security problems, which are often the result of access authorization misuse, can lead to intrusion in secure computer systems. We motivate the need for pattern-oriented intrusion detection, and present a model that tracks both data and privilege flows within secure systems to detect context-dependent intrusions caused by operational security problems. The model allows the uniform representation of various types of intrusion patterns, such as those caused by unintended use of foreign programs and input data, imprudent choice of default privileges, and use of weak protection mechanisms. As with all pattern-oriented models, this model cannot be used to detect new, unanticipated intrusion patterns that could be detected by statistical models. For this reason, we expect that this model will complement, not replace, statistical models for intrusion detection.

Pseudonymous audit for privacy enhanced intrusion detection

Abstract: Intrusion detection systems can serve as powerful security audit analysis tools But by analysing the user activities, they are affecting the privacy of the users at the same time Pseudonymous audit can be the basis for privacy enhanced intrusion detection In this paper, the concept of pseudonymous audit for privacy enhanced intrusion detection and its prototype realisations are presented Furthermore it is discussed whether IT security evaluation criteria cover pseudonymous audit and the respective changes are suggested*

Detecting attacks on networks

Abstract: As Internet based and intranet based network systems have evolved, they have become invaluable tools that businesses can use to share information and conduct business with online partners. However, hackers have also learned to use these systems to access private networks and their resources. Studies have shown that many organizations have suffered external and internal network intrusions. Internet systems are subject to various types of attacks. Traditional network security products, such as firewalls, can be penetrated from outside and can also leave organizations vulnerable to internal attacks. Generally, victims do not find out that their networks have been attacked until they examine system logs the next day, after the damage has been done. Network intrusion detection systems solve this problem by detecting external and internal security breaches as they happen and immediately notifying security personnel and network administrators by e mail or pager. Intrusion detection systems use several types of algorithms to detect possible security breaches, including algorithms for statistical anomaly detection, rule based anomaly detection, and a hybrid of the two.

The threat from the net [Internet security]

Abstract: As it stands today, the Internet is not secure, so the only option is to understand how attacks occur and how best to protect against them. Ways to detect an intrusion and assess what the intruder did must be well thought out. For the most part, they will rely upon the ability of each system on the Internet to keep a log of events. The logs are invaluable for intrusion detection and analysis, indeed, they are basic to all postattack analysis. Authors of the security policy must determine what to log (keeping in mind how the desired level of logging will affect system performance) and how the logs should be analyzed. The logs should note who has entered the system as well as what they have done. Before a detailed examination is made of security methods, the issues affecting security enforcement are reviewed. The detection of intrusion using manual and automatic methods are discussed as are counterattack and damage assessment.

Detection and classification of TCP/IP network services

Abstract: Computer intruders are employing more sophisticated techniques to compromise computer systems. Once compromised, in most cases, intruders install remote terminal software to ensure continued, undetectable access to the victim site bypassing standard system audit and security features. Detection of this type of intruder activity was a problem for law enforcement during a computer intrusion investigation that went to prosecution in Australia. The increasing availability of remote terminal software to intruders poses a significant problem to both the detection and monitoring of an intruder's activities. This paper discusses an approach to the analysis of network traffic to detect the presence of unauthorised and anomalous network services. The aim of the project is the development of a network connection signature for common network services, therefore allowing connection type recognition independent of the port information. The specific service signatures can then be used to correlate port information with observed connection types facilitating the detection of anomalous and unauthorised network connections. The detection of anomalous connections may indicate the presence of unauthorised modifications to systems on the network being monitored or the installation of illicit remote terminal software on those systems. A modified neural network was used to analyse the network traffic captured for the experiment. Apart from its learning and generalisation properties, the neural network engine lends the application the ability to adapt to the different network environments on which the software may be employed.

Intrusion alarm and detection system

Abstract: An intrusion detection system used to surveil a predetermined space includes a monitor disposed within the space and a remote controller. The monitor comprises an intrusion detector for sensing an intruder in the space and a memory circuit having an armed and a disarmed state recording any sensed intrusion. The remote controller includes an RF transmitter activated by a button switch the pulsed closure of which either arms or tests or disarms the monitor. When arming the monitor, a first audible or visual output is produced by the monitor in response to the RF pulse which switches it from the disarmed to the armed state. In the armed state, the monitor produces a second audible or visual output in response to the RF pulse which is used to test the state of the monitor. The second response is easily distinguished from the first response by a user. If an intrusion occurs, the monitor produces an alarm signal. While the monitor is sounding the alarm signal, a pulsed closure of the button switch disarms the monitor. Should the monitor detect an intrusion and/or be disabled by the intruder, the lack of the monitor output in response to the RF pulse transmitted by the remote controller warns the user, before entering his or her premises, there exists the possibility of confronting an intruder.

Automated Information System (AIS) Alarm System

Abstract: The Automated Information Alarm System is a joint effort between Los Alamos National Laboratory, Lawrence Livermore National Laboratory, and Sandia National Laboratory to demonstrate and implement, on a small-to-medium sized local area network, an automated system that detects and automatically responds to attacks that use readily available tools and methodologies. The Alarm System will sense or detect, assess, and respond to suspicious activities that may be detrimental to information on the network or to continued operation of the network. The responses will allow stopping, isolating, or ejecting the suspicious activities. The number of sensors, the sensitivity of the sensors, the assessment criteria, and the desired responses may be set by the using organization to meet their local security policies.

Continuous assessment of a Unix configuration: integrating intrusion detection and configuration analysis

Abstract: Computer security is a topic of growing concern because, on the one hand, the power of computers continues to increase at exponential speed and all computers are virtually connected to each other and because, on the other hand, the lack of reliability of software systems may cause dramatic and unrecoverable damage to computer systems and hence to the newly emerging computerized society. Among the possible approaches to improve the current situation, expert systems have been advocated to be an important one. Typical tasks that such expert systems attempt to achieve include finding system vulnerabilities and detecting malicious behaviour of users. We extend our intrusion detection system ASAX with a deductive subsystem that allows us to assess the security level of a software configuration on a real time basis. By coupling the two subsystems-intrusion detection and configuration analysis-we moreover achieve a better tuning of the intrusion detection since the system has only to enable intrusion detection rules that are specifically required by the current state of the configuration. We also report some preliminary performance measurements, which suggest that our approach can be practical in real life contexts.

Security and privacy: promising advances

Abstract: The paper discusses some promising advances in computer security. Security system designers and implementers must consider several factors: security policy, privileges, authentication, correctness and auditing. The paper presents an overview of some sub-fields and their successes: trusted systems, operating systems, database management systems, distributed systems, cryptography, protocols, system correctness, intrusion detection and mobile code.

Electronic intrusion detection system for monitored environments

Abstract: An electronic intrusion detection system for monitoring environments having at least one electronic sensor responsive to movements occurring in the environment and adapted to modify at least one characteristic of its electrical output in response to the presence of a moving body in the environment. An alarm is signaled when the modification meets a predetermined condition. A transducer is provided for continuously converting the modification of the output from the electric sensor into a signal that can be perceived by a human being. An alarm control unit connected to the alarm and transducer forwards the signals to the surveillance personnel through a telephone line.

The intrusion detection system AID—architecture, and experiences in automated audit analysis

Abstract: Intrusion detection systems identify unauthorized use, misuse and abuse of computer systems. Some applications have shown that they are capable of detecting a large amount of security violations. The detection of network based attacks, however, has been solved insufficiently. In addition there are inaccessibilities concerning privacy of the monitored users. In this paper we present the intrusion detection system AID which provides new features for network and privacy oriented auditing, and a sophisticated real-time analysis using knowledge based techniques. The paper describes the objectives and the main features of the AID development.

Sensor fusion for intelligent alarm analysis

Abstract: The purpose of an intelligent alarm analysis system is to provide complete and manageable information to a central alarm station operator by applying alarm processing and fusion techniques to sensor information. This paper discusses the sensor fusion approach taken to perform intelligent alarm analysis for the Advanced Exterior Sensor (AES). The AES is an intrusion detection and assessment system designed for wide-area coverage, quick deployment, low false/nuisance alarm operation, and immediate visual assessment. It combines three sensor technologies (visible, infrared, and millimeter wave radar) collocated on a compact and portable remote sensor module. The remote sensor module rotates at a rate of 1 revolution per second to detect and track motion and provide assessment in a continuous 360/spl deg/ field-of-regard. Sensor fusion techniques are used to correlate and integrate the track data from these three sensors into a single track for operator observation. Additional inputs to the fusion process include environmental data, knowledge of sensor performance under certain weather conditions, sensor priority, and recent operator feedback. A confidence value is assigned to the track as a result of the fusion process. This helps to reduce nuisance alarms and to increase operator confidence in the system while reducing the workload of the operator.

Detecting Signs of Intrusion.

Abstract: : The module provides concrete, practical guidance to help organizations improve the security of their networked computer systems. It describes a set of practices that can help detect intrusions by looking for the fingerprints of known intrusion methods.

Intrusion detection in real-time in a multi-node, multi-host environment

Abstract: : While there exist many tools and methods used to recognize intrusions into single system environments, there are few that can recognize and handle attacks in real time. This group is further reduced when adding the complexity of recognizing and handling intrusions occurring in a heterogeneous networked environments. The results of the thesis are an open architecture design for a real-time intrusion detection system to handle intrusions in a heterogeneous network and the system requirements, specifications, protocols and software module design to support an implementation of a system using this architecture. The architecture presented herein comprises a distributed system of autonomous agents that reside on the various hosts in a network. These agents communicate with each other in a coordinated effort to identify and respond to intrusions into the network by sending messages to each other detailing the identity and threat level of a potential or imminent attack. To quantify the threat level of an ongoing attack, this thesis also presents an alert level hierarchy based on the danger level and transferability of the threat to the various hosts within the network.