Next-generation Intrusion Detection Expert System (NIDES)A Summary1Debra AndersonThane FrivoldAlfonso ValdesComputer Science LaboratorySRI-CSL-95-07, May 19951This report was prepared for the Department of the Navy, Space and Naval Warfare Systems Command,under Contract N00039-92-C-0015Contents12Introduction11.1 Previous Work..................................21.2 Related Work...................................31.2.1 Advisor Project..............................31.2.2 FBI FOIMS-IDES Project........................41.2.3 Safeguard Project.............................41.2.4 NIDES Training Course.........................41.3 Project Overview.................................5Software Prototypes72.1 Alpha Release...................................72.2 Alpha-patch Release...............................82.3 Beta Release....................................102.3.1 Documentation..............................102.3.2 Features..................................102.3.2.1Optimization of Profile Structure...............112.3.2.2 Analysis Configuration (Real-time and Batch)........112.3.2.3 Status Reporting........................132.3.2.4 Data Management Facility...................132.3.2.5 Expanded Rulebase......................132.4 Beta-update Release...............................132.4.1 Bug Fixes.................................132.4.2 Performance Improvements.......................152.4.3 New Features................................162.4.3.1Per1 Script agen Utility....................162.4.3.2 UNIX agen Ethernet Enhancement..............172.4.3.3Updated Rulebase and event Fact Template.........172.4.3.4 Expanded Audit Record Codes................182.4.3.5 Updated Installation Procedures and Documentation....182.5 Architecture....................................202.5.1 Components................................202.5.1.1 Persistent Storage.......................21i2.5.1.2Agend...............................2.5.1.3Agen...............................2.5.1.4Arpool..............................2.5.1.5Statistical Analysis Component................2.5.1.6Rulebased Analysis Component................2.5.1.7Resolver.............................2.5.1.8Archiver.............................2.5.1.9Batch Analysis.........................2.5.1.10User Interface..........................2.5.2 Operation.................................2.5.2.1Real-time Operation......................2.5.2.2Batch Operation........................3 Future Directions3.13.23.33.43.53.63.73.8Technology Transfer and Operational Evaluation................User Support and Training............................3.2.1 NIDES Maintenance...........................3.2.2 Training..................................3.2.3 Telephone and On-site Support.....................3.2.4 Configuration Management.......................Security Goals...................................Network NIDES..................................3.4.1 Data Collection..............................3.4.2 Rulebase..................................3.4.3 Statistical Measures............................Intrusion-Detection Testbed...........................Rulebase Expansion................................Profiling Other Entities..............................Enhanced Component Independence......................Bibliography3521212222222323232323242527272828282829293131313232333334List of Figures2.1 NIDES Process Graph (Real Time) .......................242.2 NIDES Process Graph (Batch Mode)......................26iiiList of Tables2.1 NIDES Baseline Profile Structure Size Comparison..............112.2 NIDES Default Rules...............................142.3 Beta Release Performance............................162.4NIDES Audit Record Action Codes Comparison Beta and Beta-update Releases 192.5 NIDES Audit Record Source Codes.......................20ivChapter 1IntroductionExisting security mechanisms protect computers and networks from unauthorized usethrough access controls, such as passwords. However, if these access controls are compro-mised or can be bypassed, an abuser may gain unauthorized access and thus can cause greatdamage and disruption to system operation.Although a computer systems primary defense is its access controls, it is clear fromnumerous newspaper accounts of break-ins, viruses, and computerized thefts that we cannotrely on access control mechanisms in every case to safeguard against a penetration or insiderattack. Even the most secure systems are vulnerable to abuse by insiders who misuse theirprivileges, and audit trails may be the only means of detecting authorized but abusive useractivity.Other modes of protection can be devised, however. An intruder is likely to exhibit a be-havior pattern that differs markedly from that of a legitimate user. An intruder masqueradingas a legitimate user can be detected through observation of this statistically unusual behav-ior. This idea is the basis for enhancing system security by monitoring system activity anddetecting atypical behavior. Such a monitoring system will be capable of detecting intrusionsthat could not be detected by any other means, for example, intrusions that exploit unknownvulnerabilities. In addition, any computer system or network has known vulnerabilities thatan intruder can exploit. However, it is more efficient to detect intrusions that exploit theseknown vulnerabilities through the use of explicit expert system rules than through statisticalanomaly detection.While many computer systems collect audit data, most do not have any capability forautomated analysis of that data. Moreover, those systems that do collect audit data generallycollect large volumes of data that are not necessarily security relevant. Thus, for securityanalysis, a security officer (SO) must wade through stacks of printed output of audit data.Besides the pure tedium of this task, the sheer volume of the data makes it impossible for thesecurity officer to detect suspicious activity that does not conform to a handful of obviousintrusion scenarios. Thus, the capability for automated security analysis of audit trails isneeded.12NIDES Final ReportThe Next-generation Intrusion-Detection Expert System (NIDES) is the result of researchthat started in the Computer Science Laboratory at SRI International in the early 1980s andled to a series of increasingly sophisticated prototypes that resulted in the current NIDESBeta release. The current version, described in this final report and in greater detail in[1, 2, 3], is designed to operate in
View Full Document