Intrusion detection, performance assurance and system maintenance : A new paradigm in computer security

In this paper, new methodologies and practices for monitoring computer networks and distributed systems, based upon known nondestructive testing (NDT) methods, are proposed and developed by the authors. The resultant system - dubbed Detecting Intrusions at Layer One (DILON) -utilizes basic signal measurement and processing, combined with ideas taken from the NDT domains, to control hardware access to the network based upon signal statistics. DILON operates by observing an attack free network and characterizing its normal signal behavior. An unauthorized piece of hardware attempting to access the network will necessarily introduce different signal statistics onto the network, as its signal level behavior is unique and will be detected as anomalous because the network has not been calibrated to recognize the device's specific signal statistics. Clearly, one of the challenges for DILON is determining whether variations in signal statistics are due to actual network intrusions or stem from possible device failure. We believe that through the systematic testing of network characterization data, past and present, DILON can serve the dual purpose of detecting intrusions and alerting administrators to the imminent failure of hardware. In addition, a byproduct of this technique is the capability for the operator to predict hardware failure based on the degradation of the signal statistics.