Intrusion Detection in Distributed Systems

ion becomes a dynamic and on-going process. Figure 6.4 shows a hierarchy of system views, signatures, and view definitions. Notice that such a hierarchy may evolve along time. For example, when we initially specify the system view TCPDOSAttacks, we may be only aware of two types of such attacks: Land and Teardrop (see [Kendall, 1999] for details). Thus, we may derive information on TCPDOSAttacks from IPPacket using signatures for Land and Teardrop and the corresponding view definitions, as shown in the dashed box in figure 6.4. Certainly, signatures can be specified on the basis of TCPDOSAttacks once it is defined. However, we may later discover other TCP based DOS attacks, e.g., Ping of Death and SYN flooding attacks [Kendall, 1999]. If this happens, we can use signatures and view definitions (e.g., the signatures and view definitions outside of the dashed box in figure 6.4) to derive more events on TCPDOSAttacks without changing either the specification of TCPDOSAttacks itself or the signatures defined on the basis of it. In other words, we can gradually change the semantics of system views and signatures without changing their specifications. As a result, the signatures specified in our model are generic and can potentially accommodate new attacks.

[1]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[2]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[3]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[4]  Anup K. Ghosh,et al.  Detecting anomalous and unknown intrusions against programs , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[5]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[6]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[7]  Salvatore J. Stolfo,et al.  A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions , 2000, Recent Advances in Intrusion Detection.

[8]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[9]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[10]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[12]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[13]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[14]  Shyhtsun Felix Wu,et al.  JiNao: Design and Implementation of a Scalable Intrusion Detection System for the OSPF Routing Proto , 1999 .

[15]  Sandeep Kumar,et al.  A Software Architecture to Support Misuse Intrusion Detection , 1995 .

[16]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[17]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[18]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  Sushil Jajodia,et al.  Abstraction-based intrusion detection in distributed environments , 2001, TSEC.

[20]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[21]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[22]  Salvatore J. Stolfo,et al.  Mining Audit Data to Build Intrusion Detection Models , 1998, KDD.

[23]  Michael Stonebraker,et al.  Implementation techniques for main memory database systems , 1984, SIGMOD '84.

[24]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[25]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[26]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[27]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[28]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[29]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[30]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[31]  Sushil Jajodia,et al.  Abstraction-based misuse detection: high-level specifications and adaptable strategies , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[32]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[33]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[34]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[35]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[36]  D. Frincke,et al.  A Framework for Cooperative Intrusion Detection , 1998 .

[37]  Sushil Jajodia,et al.  Design and implementation of a decentralized prototype system for detecting distributed attacks , 2002, Comput. Commun..

[38]  Deborah A. Frincke,et al.  Planning, Petri Nets, and Intrusion Detection , 1998 .

[39]  Naji Habra,et al.  Distributed audit trail analysis , 1995, Proceedings of the Symposium on Network and Distributed System Security.

[40]  Marshall T. Rose,et al.  The Blocks Extensible Exchange Protocol Core , 2001, RFC.

[41]  Jennifer Widom,et al.  A First Course in Database Systems , 1997 .

[42]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[43]  Feiyi Wang,et al.  Design and implementation of a scalable intrusion detection system for the protection of network infrastructure , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[44]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[45]  Marcus J. Ranum,et al.  Implementing a generalized tool for network monitoring , 1997, Inf. Secur. Tech. Rep..

[46]  C. J. Date A Guide to the SQL Standard , 1987 .

[47]  Charles E. Kahn,et al.  A common intrusion detection framework , 2000 .

[48]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.