A System Architecture for Computer Intrusion Detection

An intrusion into an information system tries to compromise the security of the system. Intrusion Detection Systems (IDSs) attempt to detect these intrusions.i¾ i¾ This paper discusses what an IDS requires from the target information system and how the IDS detects intrusions into the target information system. Specifically, we describe the architecture of a distributed host-based IDS developed at the Information and Systems Assurance Laboratory, Arizona State University.i¾ i¾ At each host machine in the information system we install an event data collector that collects and filters data of events from the host machine.i¾ i¾ The Centralized IDS Server receives the processed data and sends them to Individual Technique Servers.i¾ i¾ These Individual Technique Servers use different intrusion detection algorithms covering both anomaly detection techniques and signature recognition techniques.i¾ i¾ Each Individual Technique Server determines an intrusion warning (IW) level for each event.i¾ i¾ The Centralized IDS Server then integrates the IW levels from the Individual Technique Servers into a composite IW level, and provides it to the security administrator.

[1]  Rangaswamy Jagannathan,et al.  SYSTEM DESIGN DOCUMENT: NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES) , 1993 .

[2]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[3]  James P. Egan,et al.  Signal detection theory and ROC analysis , 1975 .

[4]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[5]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[6]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[7]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[8]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[9]  Thomas P. Ryan,et al.  Statistical methods for quality improvement , 1989 .

[10]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[12]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[13]  Sandeep Kumar,et al.  A Software Architecture to Support Misuse Intrusion Detection , 1995 .

[14]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[15]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[17]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[18]  J. Swets The Relative Operating Characteristic in Psychology , 1973, Science.

[19]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[20]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.