Autonomous Agents for Intrusion Detection

We address the problem of intrusion detection from a different angle -- instead of a monolithic Intrusion Detection System (IDS) design, we propose a distributed architecture. Our design has the advantages of scalability, efficiency, fault-tolerance, and easy configurability.

Audit Trails Format

Our purpose is to analyze audit trails to determine the format that is needed for detecting computer intrusions and misuse. Format refers to the data contained in the audit trails as well as their structure.

Audit Trails Reduction

Our purpose is to develop techniques and, ultimately, tools to efficiently reduce audit data, both in the sense of economizing storage space and in the sense of abstracting higher-level, more useful information for security administrators.

Firewalls Evaluation

Our purpose is to gain direct experience in the installation, evaluation, configuration and usage of different firewall systems; to investigate new technologies for network perimeter defenses, including next-generation networks such as ATM; and to investigate the integration of host- and network-based security mechanisms with network perimeter defenses.

Software Evaluation

Our purpose is to gain direct experience in the installation, evaluation, configuration and usage of different security software packages; to provide a common software evaluation form for evaluating publically available software currently on the COAST archive and in the commercial realm; and to install and configure software to protect and monitor COAST machines.

Vulnerabilities Database

The vulnerability database and vulnerability analysis group at COAST is interested in collecting and analyzing computer vulnerabilities for a variety of purposes, including the application of knowledge discovery and data mining tools to find non-obvious relationships in vulnerability data, the development of vulnerability classifications, and the development of tools that will help generate intrusion detection signatures from vulnerability information.

Vulnerabilities Testing

The purpose of the group is to develop methods of testing software to discover security flaws before the software is deployed.

Security Archive

Our purpose is to maintain the largest publicly available collection of security related material in the Internet.

Methods of Security Fault Classification

Taimur Aslam was examining traditional methods of penetration testing in comparison with methods of software testing. This led to the development of a more formal classification of penetration testing methods and their use, as explained in his Master's thesis.

We are now in the process of expanding Taimur's original database and classification to encompass a wider selection of examples and methods. This extended work is being done by Ivan Krsul as part of his Ph.D. research. COAST sponsored a workshop on this topic in spring of 1996.

Currently, this work has been subsumed by the Vulnerability Database project.

Network Protections

Christoph Schuba completed a Master's thesis on vulnerabilities in the DNS protocol suite. A paper summarizing that work is available.

Microsoft Windows NT 4.0 Penetration Testing with SP3 (link removed)

Intrusion Detection Systems Research Group

Suspended or Completed Projects

Some of these projects are finished, or are in suspension until resources are available to continue with them.

Tripwire®

Primarily a project of Gene Kim and Gene Spafford, Tripwire® is an integrity monitor tool for Unix systems. It uses message digest algorithms to detect tampering with file contents, as might be caused by an intruder or virus.

A simple overview paper was published in InfoSecurity News in July 1993. A more complete description can be found in the design document. This paper is also in the proceedings of the 2nd ACM Conference on Computer and Communications Security. A technical report version of our Usenix/FedUnix SANS III paper, and a technical report version of our Usenix Applications Development Symposium paper describing experiences with Tripwire are also available.

Latest version: In December 1997, Tripwire, Inc. (formerly Visual Computing Corporation(tm)) obtained an exclusive license from Purdue University to develop and market new versions of Tripwire®. Their implementation of next generation Tripwire® products are well underway. Version 1.3 for Linux and Unix will be available for limited non-commercial download after July 20, 1998. Other Commercial versions, including versions for Windows-based systems and a number of Unix platforms, are also available thereafter. To obtain information on the latest Tripwire® product set, join the user's group, or to obtain tech support for any version of Tripwire®, visit Visual Computing's WWW Tripwire's website, www.tripwire.com.

To obtain information on the latest Tripwire® product set, join the users's group, or obtain tech support for any version of Tripwire®, visit Visual Computing's WWW site.

Firewall Policies

Bryn Dole was involved with consideration of problems related to the specification of security policies and their implementation in multi-level firewalls. The work in this project was relayed to the project's sponsor and not published.

OPUS

OPUS is a project devoted to exploring better methods of controlling reusable passwords. It is directed by Gene Spafford, and has involved several students including Steve Weeber, Stefan Dresler, Shital Bhatt, and Jennifer Dick.

Two papers are available that describe OPUS: the first describes the theoretical foundation, and the second describes data collection for testing.

Messiahs

This was not actually a COAST project, but has some close ties. The work involved research into how to widely distribute computation while limiting how much information to advertise about the capabilities and architecture of site computing resources. This work was done by Steve Chapin, now on the faculty at Kent State University. Several papers, Dr. Chapin's dissertation, and a more extensive description of the project are available on the Messiahs homepage.

Portable Virus Scanners

This is a project currently in suspension. It was research towards a reconfigurable, retargetable scanner suitable for multiple architectures. Initial results were promising, but the project was never completed because of a lack of necessary resources. We hope to find appropriate sponsorship to finish the remaining work on this project and release the tool for general use.

Smart Card and Biometrics Projects

Software Forensics

Originally a project by Steve Weeber and Gene Spafford, a portion of it was most recently Ivan Krsul's Master's thesis project. Ivan has refined a set of metrics to be used when matching source code, and he has conducted several experiments with them to determine their validity. Additional areas were defined in the original software forensics paper.

Secure Patch Distribution

The purpose of this group is to develop methods of safely distributing security-relevant patches to critical systems. It is directed to methods of distributing software patches in such a way that they cannot be reverse-engineered and used against other sites.

IDIOT

IDIOT is Intrusion Detection In Our Time, a project to develop a new approach to efficient misuse detection methods. This work was started by Sandeep Kumar, who recently completed his Ph.D. He designed a new method of employing complex pattern matching to intrusion signatures. His design made use of a new classification of intrusion methods based on complexity of matching and temporal characteristics. He also designed a generic matching engine based on colored Petri nets.

Several of the COAST students worked to expand the pattern database for IDIOT, and to enhance its portability. A version is now available for general release under a no-cost license.

An overview tech report describing this work is available. Sandeep's paper at the 1994 National Computer Security Conference was given the Outstanding Student Paper Award. Dr. Kumar's dissertation is available, too. Several other tech reports are also available.

Currently, this work has been subsumed by the Audit Trails Format, Audit Trails Reduction, Autonomous Agents, and Vulnerability Database projects.

SYNKILL

Since September 1996, the SYN flood attack has been encountered on the Internet. The problems with this attack are that it takes advantages of limitations in the TCP protocol itself. In its present form, it is extremely difficult to trace an attack back to its originating machine, and the fact that it involves very little cost to the attacker means that it is a serious threat to targeted Internet Service Providers. The group is working on methods to prevent this attack as well as solutions for the present.

Renaissance Security System

Renaissance is a project to investigate the applicability of object-oriented techniques to the construction of large scale distributed systems. It consists of various sub-projects, among which the Renaissance Security System is an integral part.

The Renaissance Security System is intended to provide the run-time environment for clients and servers to mutually authenticate on the basis of global principal identity. In addition, the Renaissance Security System protect the communications between clients and servers by encrypting data packets using Data Encryption Standard (DES) keys. The Renaissance Security System follows the SPX model of authentication for authentication and DES key exchange.

The Renaissance home-page is available for further details on the Renaissance project. The Renaissance Security System project is currently supervised by Vincent F. Russo.

---

Available Tools

This lists available tools produced by COAST. (Note that some tools and prototypes may only be available to sponsors, and thus may not be listed here.)

Tripwire

ftp://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire/

Synkill Shield

This is a tool that monitors for SYN flood attacks and then responds to them. It can protect all the machines on a LAN. The tool is described in a paper in the 1997 IEEE Symposium on Security and Privacy. The tool is only available to COAST sponsors -- contact Gene Spafford for details.

Scan-detector

This is a tool to monitor for port scans of a Unix system. It is available as ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/

SATAN Extensions

We have some extensions to the SATAN/SANTA scanning tool.

IDIOT

A demonstration implementation of our IDIOT intrusion detection system is now available under a no-cost, limited-use license. If you would like a copy, contact spaf@cerias.purdue.edu