Integration of Next-Generation Intrusion Detection System/Event Monitoring Enabling Responses to Anomalous Live Disturbances (NIDES/EMERALD) Intrusion Detection Engines with the International Office of Standardization (ISO) Architecture

Abstract : This report describes the expert-system-based intrusion detection technologies developed in the EMERALD program, and the research and experimentation performed with those components. The forward-reasoning expert-system tool P-BEST, which has been used to build signature-analysis engines for IDES, NIDES and now EMERALD, is described in detail. We show how data from network traffic interception, from host operating system audit trails, and from critical applications can be analyzed by P-BEST-based applications for real-time intrusion detection. The host-based and network-based intrusion detection monitors that we built have participated in various evaluations and experiments, confirming their detection capabilities and general applicability. We conclude that EMERALD's expert-system approach to misuse detection is well suited for the complex event analysis needed for wide attack coverage and near-zero false alarm rates.