DOC PREVIEW
USC CSCI 530 - Anderson95a

This preview shows page 1-2-3-22-23-24-45-46-47 out of 47 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 47 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Next-generation Intrusion Detection Expert System (NIDES)A Summary1Debra AndersonThane FrivoldAlfonso ValdesComputer Science LaboratorySRI-CSL-95-07, May 19951This report was prepared for the Department of the Navy, Space and Naval Warfare Systems Command,under Contract N00039-92-C-0015Contents12Introduction11.1 Previous Work..................................21.2 Related Work...................................31.2.1 Advisor Project..............................31.2.2 FBI FOIMS-IDES Project........................41.2.3 Safeguard Project.............................41.2.4 NIDES Training Course.........................41.3 Project Overview.................................5Software Prototypes72.1 Alpha Release...................................72.2 Alpha-patch Release...............................82.3 Beta Release....................................102.3.1 Documentation..............................102.3.2 Features..................................102.3.2.1Optimization of Profile Structure...............112.3.2.2 Analysis Configuration (Real-time and Batch)........112.3.2.3 Status Reporting........................132.3.2.4 Data Management Facility...................132.3.2.5 Expanded Rulebase......................132.4 Beta-update Release...............................132.4.1 Bug Fixes.................................132.4.2 Performance Improvements.......................152.4.3 New Features................................162.4.3.1Per1 Script agen Utility....................162.4.3.2 UNIX agen Ethernet Enhancement..............172.4.3.3Updated Rulebase and event Fact Template.........172.4.3.4 Expanded Audit Record Codes................182.4.3.5 Updated Installation Procedures and Documentation....182.5 Architecture....................................202.5.1 Components................................202.5.1.1 Persistent Storage.......................21i2.5.1.2Agend...............................2.5.1.3Agen...............................2.5.1.4Arpool..............................2.5.1.5Statistical Analysis Component................2.5.1.6Rulebased Analysis Component................2.5.1.7Resolver.............................2.5.1.8Archiver.............................2.5.1.9Batch Analysis.........................2.5.1.10User Interface..........................2.5.2 Operation.................................2.5.2.1Real-time Operation......................2.5.2.2Batch Operation........................3 Future Directions3.13.23.33.43.53.63.73.8Technology Transfer and Operational Evaluation................User Support and Training............................3.2.1 NIDES Maintenance...........................3.2.2 Training..................................3.2.3 Telephone and On-site Support.....................3.2.4 Configuration Management.......................Security Goals...................................Network NIDES..................................3.4.1 Data Collection..............................3.4.2 Rulebase..................................3.4.3 Statistical Measures............................Intrusion-Detection Testbed...........................Rulebase Expansion................................Profiling Other Entities..............................Enhanced Component Independence......................Bibliography3521212222222323232323242527272828282829293131313232333334List of Figures2.1 NIDES Process Graph (Real Time) .......................242.2 NIDES Process Graph (Batch Mode)......................26iiiList of Tables2.1 NIDES Baseline Profile Structure Size Comparison..............112.2 NIDES Default Rules...............................142.3 Beta Release Performance............................162.4NIDES Audit Record Action Codes Comparison Beta and Beta-update Releases 192.5 NIDES Audit Record Source Codes.......................20ivChapter 1IntroductionExisting security mechanisms protect computers and networks from unauthorized usethrough access controls, such as passwords. However, if these access controls are compro-mised or can be bypassed, an abuser may gain unauthorized access and thus can cause greatdamage and disruption to system operation.Although a computer systems primary defense is its access controls, it is clear fromnumerous newspaper accounts of break-ins, viruses, and computerized thefts that we cannotrely on access control mechanisms in every case to safeguard against a penetration or insiderattack. Even the most secure systems are vulnerable to abuse by insiders who misuse theirprivileges, and audit trails may be the only means of detecting authorized but abusive useractivity.Other modes of protection can be devised, however. An intruder is likely to exhibit a be-havior pattern that differs markedly from that of a legitimate user. An intruder masqueradingas a legitimate user can be detected through observation of this statistically unusual behav-ior. This idea is the basis for enhancing system security by monitoring system activity anddetecting atypical behavior. Such a monitoring system will be capable of detecting intrusionsthat could not be detected by any other means, for example, intrusions that exploit unknownvulnerabilities. In addition, any computer system or network has known vulnerabilities thatan intruder can exploit. However, it is more efficient to detect intrusions that exploit theseknown vulnerabilities through the use of explicit expert system rules than through statisticalanomaly detection.While many computer systems collect audit data, most do not have any capability forautomated analysis of that data. Moreover, those systems that do collect audit data generallycollect large volumes of data that are not necessarily security relevant. Thus, for securityanalysis, a security officer (SO) must wade through stacks of printed output of audit data.Besides the pure tedium of this task, the sheer volume of the data makes it impossible for thesecurity officer to detect suspicious activity that does not conform to a handful of obviousintrusion scenarios. Thus, the capability for automated security analysis of audit trails isneeded.12NIDES Final ReportThe Next-generation Intrusion-Detection Expert System (NIDES) is the result of researchthat started in the Computer Science Laboratory at SRI International in the early 1980s andled to a series of increasingly sophisticated prototypes that resulted in the current NIDESBeta release. The current version, described in this final report and in greater detail in[1, 2, 3], is designed to operate in


View Full Document

USC CSCI 530 - Anderson95a

Download Anderson95a
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Anderson95a and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Anderson95a 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?