NetSTAT: A Network-based Intrusion Detection System

Network-based attacks are becoming more common and sophisticated. For this reason, intrusion detection systems are now shifting their focus from the hosts and their operating systems to the network itself. Network-based intrusion detection is challenging because network auditing produces large amounts of data, and different events related to a single intrusion may be visible in different places on the network. This paper presents a new approach that applies the State Transition Analysis Technique (STAT) to network intrusion detection. Network-based intrusions are modeled using state transition diagrams in which states and transitions are characterized in a networked environment. The target network environment itself is represented using a model based on hypergraphs. By using a formal model of both the network to be protected and the attacks to be detected the approach is able to determine which network events have to be monitored and where they can be monitored, providing automatic support for configuration and placement of intrusion detection components.

[1]  Stephen Deering,et al.  Internet Protocol Version 6(IPv6) , 1998 .

[2]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[3]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[4]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[5]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[6]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Udo W. Pooch,et al.  A Unix network protocol security study: network information service , 1992, CCRV.

[8]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[9]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[10]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Phillip A. Porras,et al.  STAT -- A State Transition Analysis Tool For Intrusion Detection , 1993 .

[12]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[13]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[14]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[15]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[16]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[17]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Richard A. Kemmerer,et al.  NSTAT: A Model-based Real-time Network Intrusion Detection System , 1998 .