Intrusion Detection: Introduction to Intrusion Detection and Security Information Management

This paper covers intrusion detection and security information management technologies. It presents a primer on intrusion detection, focusing on data sources and analysis techniques. Data sources presented therein are classified according to the capture mechanism and we include an evaluation of the accuracy of these data sources. Analysis techniques are classified into misuse detection, using the explicit body of knowledge about security attacks to generate alerts, and anomaly detection, where the safe or normal operation of the monitored information system is described and alerts generated for anything that does not belong to that model. It then describes security information management and alert correlation technologies that are in use today. We particularly describe statistical modeling of alert flows and explicit correlation between alert information and vulnerability assessment information.

[1]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[2]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[3]  S. W. Roberts Control chart tests based on geometric moving averages , 2000 .

[4]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[5]  Connie M. Borror,et al.  EWMA techniques for computer intrusion detection through anomalous changes in event intensity , 2002 .

[6]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[7]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[8]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.

[9]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[10]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[11]  Douglas S. Reeves,et al.  Detection of Denial-of-QoS Attacks Based On χ Statistic And EWMA Control Charts , 2002 .

[12]  Stephen Northcutt,et al.  Network intrusion detection , 2003 .

[13]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[14]  Hervé Debar,et al.  Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information , 2004, RAID.

[15]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[16]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[17]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[18]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[19]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[20]  Hervé Debar,et al.  Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems , 2002, RAID.

[21]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[22]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[23]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[24]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[25]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.