EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances

The EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) environment is a distributed scalable tool suite for tracking malicious activity through and across large networks. EMERALD introduces a highly distributed, building-block approach to network surveillance, attack isolation, and automated response. It combines models from research in distributed high-volume event-correlation methodologies with over a decade of intrusion detection research and engineering experience. The approach is novel in its use of highly distributed, independently tunable, surveillance and response monitors that are deployable polymorphically at various abstract layers in a large network. These monitors contribute to a streamlined event-analysis system that combines signature analysis with statistical profiling to provide localized real-time protection of the most widely used network services on the Internet. Equally important, EMERALD introduces a recursive framework for coordinating the dissemination of analyses from the distributed monitors to provide a global detection and response capability that can counter attacks occurring across an entire network enterprise. Further, EMERALD introduces a versatile application programmers' interface that enhances its ability to integrate with heterogeneous target hosts and provides a high degree of interoperability with third-party tool suites.

[1]  Eugene H. Spafford,et al.  Active Defense of a Computer System using Autonomous Agents , 1995 .

[2]  Yechiam Yemini,et al.  Decentralizing control and intelligence in network management , 1995, Integrated Network Management.

[3]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[4]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[5]  C RosenEric Vulnerabilities of network control protocols , 1981 .

[6]  Jon A. Rochlis,et al.  With microscope and tweezers: the worm from MIT's perspective , 1989, Commun. ACM.

[7]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[8]  D. E. Denning,et al.  Analytical Techniques Development for a Statistical Intrusion Detection System (sids) Based on Accounting Records. Technical Report, 3.8 Clyde Digital Systems' Audit , 2007 .

[9]  Livio Ricciulli,et al.  Modeling Correlated Alarms in Network Management Systems , 1996 .

[10]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[11]  G. Jakobson,et al.  Alarm correlation , 1993, IEEE Network.

[12]  M. Mansouri-Samani,et al.  Monitoring distributed systems , 1993, IEEE Network.

[13]  Paul M. Joyal Industrial espionage today and information wars of tomorrow , 1996, Other Conferences.

[14]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[15]  Salvatore J. Stolfo,et al.  A coding approach to event correlation , 1995, Integrated Network Management.

[16]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[17]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[18]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.