Intrusion Detection Systems

Original list compiled by Mark Crosbie and Katherine Price, COAST Laboaratory, Purdue University

Additions from a list and bibliography compiled by Michael Sobirey, Brandenburg University of Technology at Cottbus, Germany

Updated by David A. Curry, IBM Emergency Response Service

Characterization of Intrusion Detection Systems Based on Data Source

host based: audit data from a single host is used to detect intrusions.
multihost based: audit data from multiple hosts is used to detect intrusions.
network based: network traffic data, along with audit data from one or more hosts, is used to detect intrusions.

Characterization of Intrusion Detection Systems Based on Model of Intrusions

anomaly detection model: the intrusion detection system detects intrusions by looking for activity that is different from a user's or system's normal behavior.
misuse detection model: the intrusion detection system detects intrusions by looking for activity that corresponds to known intrusion techniques (sigantures) or system vulnerabilities.

The following references provide good overviews or surveys of Intrusion Detection Systems that have been developed:

Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt. Network intrusion detection. IEEE Network, 8(3):26-41, May/June 1994.
Gregory B. White, Eric A. Fisch, and Udo W. Pooch. Computer System and Network Security. CRC Press Inc., 1996.

References containing more detailed information are listed after the system summary for each of the Intrusion Detection Systems described below.

Title:	ADS (Attack Detection System)
Authors:	I. Kantzavelou, A. Patel; University College, Dublin, Ireland
Attributes:
URL:
Availability:

No information yet.

References:

Kantzavelou, I. and Patel, A. An attack detection system for secure computer systems - Design of ADS. In Proceedings of the 12th International Information Security Conference, pages 1-16, May 1996.
Kantzavelou, I. and Katsikas, S. K. An attack detection system for secure computer systems - Outline of the solution. In Proceedings of the 13th International Information Security Conference, pages 123-135, May 1997.

Title:	AID (Adaptive Intrusion Detection system)
Authors:	Michael Sobirey, Birk Richter; Brandenburg University of Technology at Cottbus, Germany
Attributes:	multihost based, misuse detection
URL:	http://www-rnks.informatik.tu-cottbus.de/~sobirey/aid.e.html
Availability:

AID (Adaptive Intrusion Detection system) is designed for network audit based monitoring of local area networks and used for investigating network and privacy oriented auditing. The research project was funded by the Brandenburg Department of Science, Research and Culture from 1994 to Spring 1996.

AID has a client-server architecture consisting of a central monitoring station and several agents (servers) on the monitored hosts. The central station hosts a manager (client) and an expert system. The agents take the audit data that were collected by the local audit functions and convert them into an operating system independent data format. By these means a monitoring of a heterogeneous UNIX environment is supported. Then the audit data are transferred to the central monitoring station, buffered in a cache and analysed by an RTworks based real-time expert system. The manager provides functions for the security administration of the monitored hosts. It controls their audit functions, requests new audit data by controlled polling and returns the decisions of the expert system to the agents. Secure RPC is used for the communication between the manager and the agents. The expert system uses a knowledge base with state oriented attack signatures, which are modelled by deterministic finite state machines and implemented as rule sequences. Relevant monitoring capabilities can be accessed by the security officer via a graphical user interface. In addition, the expert system archives data on finished and cancelled attacks, involved users and creates security reports.

AID has been successfully tested (12/95) in a local area network environment consisting of Sun SPARCstations running with Solaris 2.x and TCP/IP. Meanwhile 100 rules are implemented and the knowledge base is capable to detect 10 attack scenarios. In the described configuration and under the assumption of normal system load on the monitored hosts (maximal two working users, no patching in progress), the expert system analyses more than 2,5 MBytes per minute. The tests have shown that the prototype can monitor up to 8 hosts.

References:

M. Sobirey, B. Richter, and H. Konig. The intrusion detection system AID. Architecture, and experiences in automated audit analysis. In Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security, pages 278-290, September 1996.

Title:	AIMS (Automated Intrusion Monitoring System)
Authors:	U.S. Army
Attributes:
URL:
Availability:

The Automated Intrusion Monitoring System (AIMS) has been in development since June 1995 for the US Army and is intended to provide local and "theater-level" monitoring of computer attacks. The system is currently installed at the Army's 5th Signal Command in Worms, Germany and will be used to monitor Army computers scattered throughout Europe.

References:

AIMS was mentioned in GAO Executive Report - B-266140, Information Security - Computer Attacks at Department of Defense Pose Increasing Risks, May 1996.

Title:	ALVA (Audit Log Viewer and Analyzer tool)
Authors:	Abha Moitra; General Electric
Attributes:	host based, limited anomaly detection
URL:
Availability:

ALVA is a real-time tool for detecting potential security violations in UNIX audit logs. The system gains some level of platform independence by analyzing command logs that are precomputed from the system audit logs. A command log is a record of the user initiated commands and is reconstructed from the system call events recorded in the audit log. User's command logs would be similar across UNIX platforms, and so processing of the logs would be platform independent across UNIX workstations. A simple profile based on command, success/failure, frequency of occurence, and the domain of the target files is used to define a baseline of normal behavior for each user. A single penalty value is kept for each user, and when the user crosses a predefined threshold, ALVA reacts by contacting the security administrator and increasing the auditing level for the user. ALVA was developed to run on a C2 security level SUN environment.

References:

Moitra, A. Real-time Audit Log Viewer and Analyzer. In Proceedings of the 4th Workshop on Computer Security Incident Handling (Forum of Incident Response and Security Teams - FIRST), August 1992.

Title:	APA (Automated Penetration Analysis tool)
Authors:	S. Gupta, V. D. Gligor; University of Maryland at College Park
Attributes:
URL:
Availability:

No information yet.

References:

Gupta, S. and Gligor, V. D. Experience with a penetration analysis method and tool. In Proceedings of the 15th National Computer Security Conference, pages 165-183, October 1992.

Title:	ASAX (Advanced Security audit trail Analysis on uniX
Authors:	Baudouin Le Charlier, Abdelaziz Mounji, Naji Habra; University of Namur, Belguim Isabelle Mathieu, Siemens-Nixdorf Software S.A.
Attributes:	multihost based, misuse detection
URL:	http://www.info.fundp.ac.be/~amo/publications.html
Availability:	Version 1.0 (September 1994) freely available; later versions commercially available

ASAX is a distributed audit trail analysis system that also has incorporated configuration analysis. The audit trail analysis system consists of a central master host and one or more monitored machines. The monitored machines analyze their local audit data using a host-based version of intrusion detection system, and relevant events are selected to be sent to the central host. The selected events are converted to a Normalized Security Audit Data Format (NADF) before being transmitted to the central host for global analysis. The conversion allows for global analysis of data from heterogeneous environments. Both the local host-based and global analysis engines are rule-based systems that detect known penetration patterns. This heirarchical model lends itself to detecting components of a pattern at a local level and to deriving the aggregate pattern at the global level. In the latest version of ASAX, configuration analysis has been integrated with the intrusion detection system. By continuously monitoring the current configuration of the system, ASAX has the ability to tune the intrusion detection system to the current system state. The integrated system not only reports newly created security holes in real time, but also triggers appropriate detection rules to watch for exploits of the new holes. ASAX supports audit data from Solaris 2.x.

References:

A. Mounji, B. Le Charlier. Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection and Configuration Analysis. In Proceedings of the ISOC' 97 Symposium on Network and Distributed System Security. February 1997.
A. Mounji, B. Le Charlier. Detecting Breaches in Computer Security: A Pragmatic System with a Logic Programming Flavor. In Proceedings of the Eight Benelux Workshop on Logic Programming. September, 1996.
B. Le Charlier, A. Mounji, M. Swimmer. Dynamic Detection and Classification of Computer Viruses Using General Behaviour Patterns. In Proceedings of Fifth International Virus Bulletin Conference. September 20-22, 1995.
Abdelaziz Mounji, Baudouin Le Charlier, Denis Zampunieris, and Naji Habra. Distributed audit trail analysis. In Proceedinfs of the ISOC '95 Symposium on Network and Distributed System Security, 1995.
A. Mounji, B. Le Charlier, D. Zampuniéris, N. Habra. Distributed Audit Trail Analysis. In Proceedings of the ISOC '95 Symposium on Network and Distributed Systems Security. February 1995.
Naji Habra, Baudouin Le Charlier, Abdelaziz Mounji, and Isabelle Mathieu. ASAX: Software architecture and rule-based language for universal audit trail analysis. In Proceedings of the Second European Symposium on Research in Computer Security, pages 435-450, November 1992.

Title:	ASIM (Automated Security Incident Measurement)
Authors:	U.S. Air Force
Attributes:
URL:
Availability:

Automated Security Incident Measurement (ASIM) is designed to measure the level of unauthorized activity against its systems. Under this project, several automated tools are used to examine network activity and detect and identify unusual network events, for example, Internet addresses not normally expected to access Defense computers. These tools have been installed at only 36 of the 108 Air Force installations around the world. Selection of these installations was based on the sensitivity of the information, known system vulnerabilities, and past hacker activity. Data from the ASIM is analyzed by personnel responsible for securing the installation's network. Data is also centrally analyzed at the AFIWC in San Antonio, Texas.

ASIM has been extremely useful in detecting attacks on Air Force systems. However, as currently configured, ASIM information is only accumulated and automatically analyzed nightly. As a result, a delay occurs between the time an incident occurs and the time when ASIM provides information on the incident. ASIM is currently configured for selected operating systems and, therefore, cannot detect activity on all Air Force computer systems. USAF plans to continue refining the ASIM to broaden its use for other Air Force operating systems and enhance its ability to provide data on unauthorized activity more quickly.

References:

ASIM was mentioned in GAO Executive Report - B-266140, Information Security - Computer Attacks at Department of Defense Pose Increasing Risks, May 1996.

Title:	AudES
Authors:	G. Tsudik and R. Summers
Attributes:
URL:
Availability:

No information yet.

References:

Tsudik, G. and Summers, R. AudES - an expert system for security auditing. In Proceedings of the AAAI Conference on Innovative Applications in AI, May 1990.

Title:	Autonomous Agents for Intrusion Detection
Authors:	Mark Crosbie, Eugene Spafford; COAST Laboratory, Purdue University
Attributes:	multihost based, anomaly detection
URL:	http://www.cs.purdue.edu/coast/projects/autonomous-agents.html
Availability:	Available to COAST sponsors

This project addresses the problem of intrusion detection from a different angle - instead of a monolithic Intrusion Detection System (IDS) design, it proposes a distributed architecture. The design has the advantages of scalability, efficiency, fault-tolerance, and easy configurability.

In the next few months (Feb 97), the group expects to have a fully functional transceiver module, as well as a fully functional monitor with the GUI. Further, they expect to have some simple agents running on different hosts in a network. They expect to make performance measurements and modify the design if required. They expect to start work on integration with the audit subsystem provided by BSM (Solaris 2.x). They also would like to do some research on the metrics to measure as well as their inter-dependencies. Further, longer term, goals include investigation of object migration, an object oriented agent approach, dynamic configurability of agents, and an agent configuration language.

References:

Mark Crosbie and Eugene Spafford. Active Defense of a Computer System using Autonomous Agents. In Proceedings of the 18th National Information Systems Security Conference, pages 549-558, October 1995.
Mark Crosbie and Eugene Spafford. Applying genetic programming to intrusion detection. In Proceedings of the 1995 AAAI Fall Symposium on Genetic Programming, Nov. 1995.

Title:	CMDS (Computer Misuse Detection System)
Authors:	Science Applications International Corporation
Attributes:	multihost based, anomaly and misuse detection
URL:	http://www.saic.com/it/cmds/index.html
Availability:	Commercially available

Computer Misuse Detection System (CMDS) software is a commercial intrusion detection system developed by Science Applications International Corporation (SAIC). CMDS is a real-time audit reduction and analysis system that detects and deters computer misuse. CMDS includes two misuse detection mechanisms: a statistical detection mechanism and a rule-based expert system. The statistical detection system compares current behavior profiles to historic (expected) behavior profiles and generates real-time warnings when the current behavior deviates beyond set thresholds. The rule-based expert system looks for activity that mirrors modeled misuse scenarios and generates real-time warnings alerting the security administrator when suspicious activity is found. CMDS is designed to detect intrusions in heterogeneous networks, and the software supports audit data from the SunOS, Solaris, and HP/UX operating systems.

References:

Paul Proctor. Audit reduction and misuse detection in heterogeneous environments: Framework and applications. In Proceedings of the 10th Annual Computer Security Applications Conference, pages 117-125, December 1994.

Title:	ComputerWatch
Authors:	AT&T Bell Laboratories
Attributes:	host based, limited misuse detection
URL:	http://www.att.com/press/0293/930202.fsa.html
Availability:	Commercially available as a companion product to AT&T System V/MLS for NCR Series 3000 computers

The ComputerWatch Audit Trail Analysis Tool was developed by the Secure Systems Department at AT&T Bell Laboratories. The tool provides audit trail data reduction and limited intrusion-detection capability. It is designed to assist the system security officer by reducing the amount of data that he/she views without the loss of any informational content. ComputerWatch uses an expert system approach to summarize security sensitive events and applies simple detection rules to highlight anomalous behavior that may indicate system security breaches. The tool is designed for audit trails from the System V/MLS operating system but it could be extended to operate on audit trails from other systems.

References:

Cheri Dowell and Paul Ramstedt. The ComputerWatch data reduction tool. In Proceedings of the 13th National Computer Security Conference, pages 99-108, October 1990.

Title:	CSM (Cooperating Security Manager)
Authors:	Gregory B. White, U.S. Air Force Academy Eric A. Fisch and Udo W. Pooch, Texas A&M University
Attributes:	multihost based, misuse detection
URL:	http://www.cs.tamu.edu/people/efisch/csmieee.ps
Availability:

The Cooperating Security Manager (CSM) is an intrusion detection system designed to be used in a distributed network environment. Developed at Texas A&M University, this sytem runs on UNIX-based systems connected over any size network. The goal of the CSMs is to provide a system that can detect intrusive activity in a distributed environment without the use of a centralized director. A system with a central director coordinating all activity severely limits the size of the network. Instead of reporting significant network activity to a central director, the CSMs communicate among themselves to cooperatively detect anomoulous activity. The way this works is by having the CSMs take a proactive, instead of reactive, approach to intrusion detection.

In a reactive approach with a centralized director, the individual hosts would report occurrences of failed login attempts, for example, to the central director. In a practive approach, the host from which the intruder was attempting to make the connections would contact the systems being attacked. The key to having a practive approach work is to have all hosts (or at least the vast majority of hosts) on a network run a CSM. While this may at first appear to be somewhat idealistic, with the current interst among vendors to develop "Security on a chip", the concept of an intrusion detection system provided in hardware may not be that far off.

References:

G. B. White, U. W. Pooch. Cooperating Security Managers: distributed intrusion detection systems. Computers & Security 15(1996)5, pages 441-450.
Gregory B. White, Eric A. Fisch, and Udo W. Pooch. Cooperating security managers: A peer-based intrusion detection system. IEEE Network, 10(1):20-23, January/February 1996.

Title:	CyberCop
Authors:	Network General Corporation
Attributes:	network based, misuse detection
URL:	http://www.ngc.com/product_info/cybercop/ccdata/ccdata1.html
Availability:	Commercially available

Network General has licensed WheelGroup's NetRanger intrusion detection technology. They have ported the NSX ("sensor") portion of NetRanger to their Sniffer family of protocol analyzers, and modified it to report its alarms up through the Sniffer information distribution hierarchy rather than the NetRanger Director.

References:

Title:	DECinspect
Authors:	Digital Equipment Corporation
Attributes:	host based, misuse detection
URL:
Availability:	no longer available

Superceded by POLYCENTER Security Intrusion Detector.

References:

Holdon, D. A rule-based intrusion detection system. In Proceedings of the IFIP TC11 8th International Conference, pages 433-440, 1992.

Title:	DIDS (Distributed Intrustion Detection System)
Authors:	University of California, Davis
Attributes:	multihost based, anomaly and misuse detection
URL:	http://olympus.cs.ucdavis.edu/papers/sbd91.abs
Availability:	Restricted to U.S. Air Force?

The first intrusion detection system that aggregates audit reports from a collection of hosts on a single network. Unique to DIDS is its ability to track a user as he establishes connections accros the network, some perhaps under different account names.

DIDS extends the network intrusion-detection concept from the local area network environment to arbitrarily wider areas, with the network topology being arbitrary as well. The generalized distributed environment is heterogeneous, i.e. the network nodes can be hosts or servers from different vendors, or some of them could be LAN managers. The architecture for DIDS consists of the following components: a host manager (a monitoring process or collection of processes running in background) in each host; a LAN manager for monitoring each LAN in the system; and a central manager, placed at a single secure location, that receives reports from various host and LAN managers and processes these reports, correlates them, and detects intrusions.

References:

Snapp, S. R., Smaha, S. E., Grance, T., Teal, D. M. The DIDS (Distributed Intrusion Detection System) Prototype. In Proceedings of the USENIX Summer 1992 Technical Conference, pages 227-233, June 1992.
Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L., Heberlein, L. T., Ho, C., Levitt, K. N., Mukherjee, B., Smaha, S. E., Grance, T., Teal, D. M., Mansur, D. DIDS (Distributed Intrusion Detection System) - Motivation, architecture and an early prototype. In Proceedings of the 14th National Computer Security Conference, pages 167-176, October 1991.
Brentano, J., Snapp, S. R., Dias, G. V., Goan, T. L., Heberlein, L. T., Ho, C. L., Levitt, K. N., Mukherjee, B., Smaha, S. E.. An Architecture for a Distributed Intrusion Detection System. In Proceedings of the 14th DoE Computer Security Group Conference, pages 25-45, May 1991.
Snapp, S. R., Brentano, J., Dias, G. V., Goan, T. L., Grance, T., Heberlein, L. T., Ho, C.-L., Levit, K. N., Mukherjee, B., Mansur, D. L., Pon, K. L., Smaha, S. E. A System for Distributed Intrusion Detection. In Proceedings of the COMPCON, pages 170-176, Feb./March 1991.

Title:	Discovery
Authors:	TRW Information Services
Attributes:	host based, anomaly detection
URL:
Availability:

Discovery searches for frequently occurring customer service access patterns to develop a "user profile" of customer inquiries. Daily customer inquiries are analyzed for error-free inquiries, which are compared with the established customer profiles. Records which fall within acceptable bounds (using a weighted algorithm) a dropped from further processing, all records outside these bounds are recorded for further processing, and a error rejection message is displayed. Utilizes a self-learning, data driven expert system for pattern recognition. Capable of reviewing 400,000 inquires per day, from a potential base of 120,000 customer access codes. The system is dynamic in its ability to detect and absorb subtle changes in user inquiry formats over time.

References:

Tener W. T. Discovery: An expert system in the commercial data security environment. In Proceedings of the 4th IFIP TC11 International Conference on Security, pages 261-268, 1989.

Title:	DRISC (Detect and Recover Intrusion using System Critically)
Authors:	Information Intelligence Science, Inc., Aurora, CO
Attributes:
URL:
Availability:

No information yet.

References:

Neumann, P. G. A Comparative Anatomy of Computer System/Network Anomaly Detection Systems, SRI-CSL Technical Report, 1990.

Title:	EMERALD (Event Monitoring Enabling Response to Anomalous Live Disturbances)
Authors:	SRI International
Attributes:	network based, anomaly and misuse detections
URL:	http://www.csl.sri.com/emerald/index.html
Availability:	Early research stages

This new DARPA project represents the next generation in the series of IDES/NIDES projects, specifically addressing network misuse. SRI is developing an analysis and response system that will be able to address unanticipated misuse in large network-based enterprises, within an interoperable and scalable modular system framework. This differs from much current and previous work devoted primarily to recognizing anticipated types of intrusions in local environments.

Profile-Based Algorithms. NIDES contains a statistical analysis component (NIDES-Stat) that is capable of detecting unanticipated anomaly modes (for example, in use of UNIX-based workstations), whereas rule-based systems detect only specifically identified anticipated threats. In EMERALD, SRI plans to extend NIDES-Stat to support some dynamic measure creation, correlation of profiles across heterogeneous data sources, and analysis of data from multiple layers in the network hierarchy.

Signature-Based Algorithms. NIDES contains a rule-based expert system. Other signature-based approaches are also being considered for EMERALD.

Hierarchical Analysis. In EMERALD, scalability to large networking applications will be aided by hierarchical processing of data on a distributed network. Raw data may be obtained at various points in the network (e.g., system audit data, LAN, firewall, network management data). The signature- and profile-based components will analyze data at various logical layers of abstraction, on appropriate platforms to minimize the amount of data that must be analyzed at each logical layer. Only the local analysis components will process raw data, whereas higher-layer components will examine aggregated data and analysis results fed upward from lower layers. Because of the data reduction provided by hierarchical analysis, it will be possible to model and analyze behavior over larger scopes without suffering the performance problems common to more centralized intrusion detection.

Responses to Intrusions. The EMERALD Resolver will extend the NIDES resolver to provide further analysis of anomalies and recommendations for responding to detected intrusions. Responses may involve reconfiguration of the intrusion detection system itself to collect more detailed data about the affected hosts and networks, or may encourage administrative action to shut down certain services, isolate affected assets, or activate redundant or finer-grain resources.

References:

Porras, A. and Neumann, P. G. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the National Information Systems Security Conference, October 1997.

Title:	ESSENSE
Authors:	Digital Equipment Corporation
Attributes:
URL:
Availability:

No information yet.

References:

Valcarce, E. M., Hoglund, G. W., Jansen, L., Baillie, L. ESSENSE: An experiment in knowledge-based security monitoring and control. In Proceedings of the 3rd USENIX Unix Security Symposium, pages 155-170, Sept. 1992.

Title:	GASSATA (Genetic Algorithm for Simplified Security Audit Trail Analysis)
Authors:	M. Le; SUPELEC, Cesson Sevigne, France
Attributes:
URL:	http://www.supelec-rennes.fr/rennes/si/equipe/lme/these/these-lm.html
Availability:

No information yet.

References:

Me, L. Genetic Algorithms, a Biologically Inspired Approach for Security Audit Trails Analysis, short paper presented at the 1996 IEEE Symposium on Security and Privacy, May 1996.
Me, L. Security audit trail analysis using genetic algorithms. In Proceedings of the 12th International Conference on Computer Safety, Reliability and Security, pages 329-340, Oct. 1993.

Title:	GrIDS (Graph-based Intrusion Detection System)
Authors:	Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.; University of California at Davis
Attributes:	network based, misuse detection
URL:	http://olympus.cs.ucdavis.edu/arpa/grids/welcome.html
Availability:	Early research stages

GrIDS is designed to detect large-scale automated attacks on networked systems. The mechanism proposed is to build activity graphs which approximately represent the causal structure of large scale distributed activities.

The nodes of an activity graph correspond to hosts in a system, while edges in the graph correspond to network activity between those hosts. Activity in a monitored network causes graphs representing that activity to be built. These graphs are then compared against known patterns of intrusive or hostile activities, and if they look similar a warning (or perhaps a reaction) is generated.

The GrIDS project is part of UC Davis's Intrusion Detection for Large Networks project, which is funded by ARPA.

References:

Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D. GrIDS - A Graph Based Intrusion Detection System for Large Networks. In Proceedings of the 19th National Information Systems Security Conference, pages 361-370, Oct. 1996.

Title:	Haystack
Authors:	S. Smaha; Tracor Applied Science, Inc.
Attributes:	host based, anomaly and misuse detections
URL:
Availability:	no longer available

Superceded by Stalker.

References:

Smaha, S. E. Haystack: An intrusion detection system. In Proceedings of the IEEE 4th Aerospace Computer Security Applications Conference, pages 37-44, Dec. 1988.

Title:	Hyperview
Authors:	CS Telecom, Groupe CSEE, Paris, France
Attributes:
URL:
Availability:

No information yet.

References:

Debar, H., Dorizzi, B. An application of a recurrent network to an intrusion detection system. In Proceedings of the International Joint Conference on Neural Networks, pages 478-483, June 1992.
Debar, H., Becker, M., Siboni D. A neural network component for an intrusion detection system. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 1-11, May 1992.

Title:	IDA (Intrusion Detection Alert)
Authors:	Motorola, Rolling Meadows, IL
Attributes:
URL:
Availability:

No information yet.

References:

Petersen, K. L. IDA - Intrusion Detection Alert. In Proceedings of the IEEE Annual International Computer Software and Applications Conference, pages 306-311, Sept. 1992.

Title:	IDA (Intrusion Detection and Avoidance system)
Authors:	S. Fischer-Hübner, M. Sobirey, K. Brunnstein, K. Rannenberg; University of Hamburg, Germany
Attributes:
URL:
Availability:

No information yet.

References:

Sobirey, M., Fischer-Hübner, S., Rannenberg, K. Pseudonymous Audit for Privacy Enhanced Intrusion Detection. In Proceedings of the 13th International Information Security Conference, May 1997.
Fischer-Hübner, S., Brunnstein, K. Combining verified and adaptive system components towards more secure computer architectures. In Proceedings of the International Workshop on Computer Architectures to Support Security and Persistence of Information, section 14, pages 1-7, May 1990.

Title:	IDERS
Authors:	INTRINsec, France
Attributes:
URL:
Availability:

No information yet.

Title:	IDES (Intrusion Detection Expert System)
Authors:	SRI International
Attributes:	host based, anomaly and misuse detection
URL:	http://www.csl.sri.com/intrusion.html
Availability:	no longer available

IDES is a real-time intrusion-detection expert system that observes user behavior on a monitored computer system and adaptively learns what is normal for individual users, groups, remote hosts, and the overall system behavior. Observed behavior is flagged as a potential intrusion if it deviates significantly from the expected behavior or if it triggers a rule in the expert-system rule base.

Superceded by NIDES.

References:

Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Jalali, C., Neumann, P. G., Javitz, H. S., Valdes, A., Garvey, T. D. A real time Intrusion Detection Expert System (IDES) - Final Report, SRI International, Menlo Park, CA, Feb. 1992.
Javitz, H. S., Valdes, A. The SRI IDES statistical anomaly detector. In Proceedings of the Symposium on Research in Security and Privacy, pages 316-326, May 1991.
Lunt, T. F., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P. G., Jalali, C. IDES: A Progress Report. In Proceedings of the 6th Annual Computer Security Applications Conference, pages 273-285, Dec. 1990.
Lunt, T. F. IDES: An Intelligent System for Detecting Intruders. In Proceedings of the Symposium: Computer Security, Threat and Countermeasures, Nov. 1990.
Lunt, T. F., Jagannathan, R. A Prototype Real-Time Intrusion Detection Expert System. In Proceedings of the Symposium on Security and Privacy, pages 59-66, Apr. 1988.
Lunt, T. F. Knowledge based Intrusion Detection. In Proceedings of the Annual AI Systems in Government Conference, pages 102-107, March 1989.
Denning, D. E., Neumann, P. G. Requirements and Model for IDES - A Real-Time Intrusion Detection Expert System. Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1985.

Title:	IDIOT (Intrusion Detection In Our Time)
Authors:	Sandeep Kumar and Eugene H. Spafford, Purdue University
Attributes:	generic (?), misuse detection
URL:	http://www.cs.purdue.edu/coast/coast-tools.html
Availability:	Available to COAST sponsors

IDIOT is Intrusion Detection In Our Time, a project to develop a new approach to efficient misuse detection methods. This work was started by Sandeep Kumar, who recently completed his Ph.D. He designed a new method of employing complex pattern matching to intrusion signatures. His design made use of a new classificatio of intrusion methods based on complexity of matching and temporal characteristics. He also designed a generic matching engine based on colored Petri nets.

References:

Sandeep Kumar and Eugene H. Spafford. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11-21, October 1994.

Title:	Inspect
Authors:	CEFRIEL, Milano, Italy
Attributes:
URL:
Availability:

No information yet.

References:

Vigna, G. Inspect: a Lightweight Distributed Approach to Automated Audit Trail Analysis, CEFRIEL, Milano, Italy, unpublished.

Title:	INTOUCH INSA - Network Security Agent
Authors:	Touch Technologies, Inc.
Attributes:	network based, anomaly and misuse detection
URL:	http://www.ttisms.com/tti/nsa_www.html
Availability:	Commercially available

Running on a devoted, high-speed, 64-bit RISC system, INTOUCH INSA reads all network packets, reconstructs all user activity, and scans the activity for possible computer-use policy violations. The scanning is done automatically, in the background, and without any impact on the network. The patterns to be scanned for can be customized by the Network Security Manager.

When a possible policy violation is detected by INTOUCH INSA, the Network Security Manager is alerted. Once alerted, the Network Security Manager can review the incident, and even start a real-time display of the possible violator's session.

INTOUCH INSA's inexpensive and highly effective network intrusion detection capabilities:

are hosted on a single Digital AlphaStation for high-speed, real-time network traffic analysis and session reconstruction
use various detection techniques, including:
- Attack signature recognition
- Anomaly detection
- Source/destination analysis
provide both real-time and retrospective analysis.
allow intrusion alerts to trigger events and take actions.
track and analyze historical incident details.

Title:	ISM
Authors:	University of California at Davis
Attributes:
URL:
Availability:

No information yet.

References:

Heberlein, L. T., Mukherjee, B., and Levitt, K. N. Internet Security Monitor: An Intrusion Detection System for Large-Scale Networks. In Proceedings of the 15th National Computer Security Conference, pages 262-271, October 1992.

Title:	ISOA (Information Security Officer's Assistant)
Authors:	Planning Research Corporation, McLean, VA
Attributes:	multihost based, anomaly and misuse detections
URL:
Availability:

PRC's Information Security Officer's Assistant (ISOA) is a state-of-the-art system for monitoring security relevant behavior in computer networks. The ISOA serves as the central point for real-time collection and analysis of audit information. When an anomalous situation is identified, associated indicators are triggered. The ISOA automates analysis of audit trails, allowing indications and warnings of security threats to be generated in a timely manner such that threats can be countered. The ISOA reduces massive amounts of audit records into a form which is meaningful and readily comprehended. After receipt and normalization of audit records, the ISOA performs analysis in a number of dimensions, including: detection of specified events and/or situations, threshold exceptions, statistical checks, and expert system threat evaluation.

ISOA allows a single designated workstation to perform automated security monitoring, analysis, and warning. Without requiring constant interaction, the ISOA user interface alerts the security officer to a variety of security situations. The security status of the monitored network is represented in graphical and textual form. When unusual or anomalous situations are detected, they are brought to the attention of the security officer who can obtain further information, initiate more involved analysis, and optionally intervene or terminate the situation. Automated responses may be defined, including terminating user sessions, locking user accounts, forcing biometric identification, and shutting down hosts.

References:

Winkler, J. R., Landry, L. C. Intrusion and anomaly detection, ISOA update. In Proceedings of the 15th National Computer Security Conference, pages 272-281, Oct. 1992.
Winkler, J. R. A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks. In Proceedings of the 13th National Computer Security Conference, pages 115-124, Oct. 1990.
Winkler, J. R., Page, W. J. Intrusion and Anomyly Detection in Trusted Systems. In Proceedings of the 5th Anual Computer Security Applications Conference, pages 39-45.

Title:	ITA (Intruder Alert)
Authors:	AXENT Technologies, Inc.
Attributes:	multihost based, misuse detection
URL:	http://www.axent.com/product/ita/ita.htm
Availability:	Commercially available

See OmniGuard/ITA.

Title:	Kane Security Monitor (KSM)
Authors:	Intrusion Detection, Inc.
Attributes:
URL:	http://www.intrusion.com/products/ksm.htm
Availability:	Commercially available

The Kane Security Monitor (KSM) is an intrusion detection system that provides sophisticated network security monitoring for Windows NT networks. Using artificial intelligence, the KSM identifies both subtle and obvious security violations caused by outside hackers or even inside authorized users. Once a violation has been identified, the System Administrator or Security Officer is alerted with the details.

Features:

Automatically identifies security violations.
Uncovers security break-ins before they occur.
Identifies password guessers, curious users, file browsers, compromised user IDs, password cracking attempts, network doorknob attacks, privileged ID abuse, data flooding, packet browsing and more.
Focuses on sensitive Users, Workstations and Files.
Minimal setup time by using our built-in time saving self-populating database of expert security information.
Security officers, auditors or LAN administrators can be automatically alerted about unauthorized access.
Seamless integration with the Kane Security Analyst, Intrusion Detection's network security assessment product.

The KSM provides an Enterprise-wide centralized collection facility for event logs otherwise stored separately on each machine, and the Automated review of event logs for abuse patterns such as unauthorized activities and suspicious behavior by both outside hackers and inside authorized users. The KSM analyzes NT Security event logs on an enterprise-wide basis. The KSM's agent technology vigilantly monitors NT security event logs on thousands of NT servers and workstations. By using artificial intelligence from Intrusion Detection's proprietary SHADOWARE technology, security event logs are scrutinized for abuse patterns including unauthorized activities and suspicious behavior from outside hackers and inside authorized users. This process automatically turns massive amounts of NT security event log data into concise security information.

References:

Title:	MIDAS (Multics Intrusion Detection and Alerting System)
Authors:	National Computer Security Center, Ft. Meade, MD
Attributes:	host based, anomaly and misuse detection
URL:
Availability:

The Multics Intrusion Detection and Alerting System (MIDAS) is an expert system which provided real-time intrusion and misuse detection for the National Computer Security Center's networked mainframe, Dockmaster, a Honeywell DPS-8/70 Multics. The basic design of MIDAS was heavily influenced by the intrusion detection research of Dorothy Denning and Peter Neumann of SRI International. They proposed that statistical analysis of computer system activities could be used to characterize normal system and user behavior. Given such statistical profiles, user or system activity that deviates beyond certain bounds should be detectable. MIDAS has been developed to employ this basic concept in its evaluation of the audited activities of more than 1200 Dockmaster users.

References:

Sebring, M. M., Sellhouse, E., Hanna, M. E., Whitehurst, R. A. Expert system in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference, pages 74-81, Oct. 1988.

Title:	NADIR (Network Anomaly Detection and Intrusion Reporter)
Authors:	Los Alamos National Laboratory
Attributes:	network based
URL:	http://www.c3.lanl.gov/~gslentz/nadirTemplate.shtml
Availability:

NADIR is a rules-based expert system developed at Los Alamos to automatically detect intrusion attempts and other security anomalies on its large supercomputer network. In addition to monitoring the Cray supercomputer systems, NADIR also monitors network authentication (Kerberos) and mass file storage activity (Common File System). A client-server model is used, with Unix-based workstations running Sybase providing the server application platform. Profiles and event history are maintained for each monitored system and for individual users, and rules are applied to these profiles to detect anomalous activities.

This technology is currently being applied for fraud detection in electronic tax return filing for the IRS. It is also successfully being applied in the commercial sector to aid in credit card fraud detection.

References:

Hochberg, J., Jackson, K., Stallings, C., McClary, J., DuBois, D., Ford, J. NADIR: An automated system for detecting network intrusions and misuse. Computers and Security 12(1993)3, May, pages 253-248.
Jackson, K. A. NADIR: A Prototype System for Detecting Network and File System Abuse. In Proceedings of the 7th European Conference on Information Systems, Nov. 1992.
Jackson, K., DuBois, D. H., Stallings, C. A. An expert system application for network intrusion detection. In Proceedings of the 14th National Computer Security Conference, pages 215-225, Oct. 1991.

Title:	NAURS (Network Auditing Usage Reporting System)
Authors:	SRI International
Attributes:
URL:
Availability:

No information yet.

References:

Neumann, P. G., Ostapik, F. Audit Trail Analysis and Usage Data Collection and Processing, Part 2, Computer Science Laboratory, SRI International, May 1987.
Neumann, P. G. Audit trail analysis and usage data collection and processing, Part 1. Computer Science Laboratory, SRI International, Jan. 1985.

Title:	NetRanger
Authors:	WheelGroup, Inc., San Antonio, TX
Attributes:	network based, misuse detection
URL:	http://www.wheelgroup.com/netrangr/1netrang.html
Availability:	Commercially available

NetRanger allows data to flow freely while analyzing it bi-directionally for misuse. When the content or context of network traffic indicates suspicious activity from either a trusted or unauthorized user, NetRanger automatically denies access to the intruder and reports details of the intrusion to a centralized management system. Simultaneously, the NetRanger field unit sends a real-time attack notification to network operations personnel over a secure virtual private network. Details regarding the attack, including type and the last link of its electronic point of origin, are immediately made available to monitoring personnel and logged into a centralized database. NetRanger also provides traffic control features and valuable network usage analysis showing how a network is being used and revealing potential network configuration errors. Real-time monitoring of the system can be either outsourced to a third party or conducted in-house using HP OpenView. Once a NetRanger is installed, users may adopt a truly "hands off" approach since configuration changes and software updates are performed remotely. Highly configurable, the NetRanger can be modified to fit a client's security policy and provide unmatched, large-scale control of a client's electronic perimeter.

The NetRanger intrusion detection engine uses signature recognition, which can be either context- or content-oriented. Context-oriented attack signatures consist of known network service vulnerabilities that can be detected by inspecting packet headers. These include SATAN, source routing, and IP spoofing attack profiles. Content-oriented signatures require the inspection of data fields within a packet to determine if an attack or policy violation has occurred at the application level. These include sendmail and Web attack profiles. Content monitoring also allows NetRanger to be customized to specific operational or business requirements by creating unique character string profiles.

NetRanger consists of one or more sensors, a secure communications channel, and a management system. The sensor is called the NSX. It is a plug-and-play device installed between a trusted and an untrusted network, and provides the automated intrusion detection and response functionality, concentrating this powerful feature at the point(s) of attack. The communications channel is based on a proprietary, fault tolerant, point-to-point protocol that connects one or more NSX sensors to the management system. Information is transmitted via an encrypted sleeve with a user-configurable set of encryption algorithm options. It also transports secure configuration and diagnostic information to a remote NSX and provides real-time alarms and incident data back to the management system. The management system is called the Director. It has a graphical user interface (GUI) for reporting NSX alarms and managing configurations. It logs all incidents, provides DBMS staging, and lets customers create historical and trend reports. Each Director can monitor and control more than 100 remote NSX sensors.

Title:	NetStalker
Authors:	Haystack Laboratories, Inc., Austin, TX
Attributes:	host and network based, misuse detection
URL:	http://www.haystack.com/netstalk.htm
Availability:	Commercially available

NetStalker is a real-time analysis program that identifies network attacks and attempts to exploit protocol vulnerabilities. NetStalker does this by comparing information gathered from router event reports against Haystack Labs' extensive misuse signature database.

NetStalker runs continuous checks on your network. When it detects a security breach, it immediately closes the connection from the offending host and alerts the system administrator via pager, SNMP, or email. A hard copy report is created for archiving and review.

NetStalker allows you to:

Block Internet connections by IP address, protocol, port or more detailed criteria.
Watch failed and active connections in real-time.
Report to the console, send email, or trigger a network management alarm based on user-defined security criteria.
Shut down connections from sites that are attacking you.

Title:	NetSTAT (Network-based State Transition Analysis Tool)
Authors:	University of California at Santa Barbara
Attributes:	multihost based, misuse detection
URL:	http://www.cs.ucsb.edu/~kemm/netstat.html
Availability:

Further development of USTAT.

References:

Title:	NICE
Authors:	University of New Mexico
Attributes:
URL:
Availability:

No information yet.

References:

Heady, R., Luger, G., Macabe, A., Servilla, M., and Sturtevant, J. A prototype implementation of a network-level intrusion detection system. Technical Report CS91-11, Department of Computer Science, University of New Mexico, May 1991.
Heady, R., Luger, G., Macabe, A., and Servilla, M. The architecture of a network level intrusion detection system, Technical Report CS90-20, Department of Computer Science, University of New Mexico, Aug. 1990.

Title:	NID (Network Intrusion Detector)
Authors:	Computer Security Technology Center, Lawrence Livermore National Laboratory
Attributes:	network based, anomaly and misuse detection
URL:	http://ciac.llnl.gov/cstc/nid/niddes.html
Availability:	Available free of charge to DOE and DoD organizations and contractors only.

Provides a suite of security tools that detects and analyzes network intrusion. NID provides detection and analysis of intrusion from individuals not authorized to use a particular computer and from individuals allowed to use a particular computer, but who perform either unauthorized activities or activities of suspicious nature on it.

Note that NID was formerly known as the Network Security Monitor (NSM) and was originally developed at the University of California at Davis.

References:

L. Todd Heberlein, Gihan V. Dias, Karl N. Levitt, Biswanath Mukherjee, Jeff Wood, and David Wolber. A network security monitor. In Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pages 296-304, May 1990.

Title:	NIDES (Next-Generation Intrusion-Detection Expert System)
Authors:	SRI International
Attributes:	multihost based, anomaly and misuse detection
URL:	http://www.csl.sri.com/nides/index.html
Availability:	Commercially available?

NIDES operates in real time to detect intrusions as they occur. It is a comprehensive system comprised of innovative statistical algorithms applied to system-level audit trails for the purpose anomaly detection, as well as an expert system that encodes known intrusion scenarios.

To date, NIDES has been used to monitor computer users by examining audit trail information using a custom nonparametric statistical component as well as a rule-based component. In the paradigm explored the subject considered up to now have been computer users. For the present study, the methodology is adapted to consider applications as subjects. This directly addresses the stated goal of monitoring usage to detect unauthorized use of applications or application classes on restricted systems. With recent changes in export restrictions, this goal is perhaps less urgent now than when the study was undertaken. Nonetheless, the methodology as adapted here is useful in the detection of Trojan horses and other masquerading applications.

NIDES is a continuation of the IDES project.

References:

Anderson, D., Lunt, T. F., Javitz, H., Tamaru, A., Valdes, A. Detecting Unusual Program Behavior Using the Stastistical Component of the Next-generation Intrusion Detection Expert System (NIDES), SRI-CSL-95-06, SRI International, Menlo Park, CA, May 1995.
Anderson, D., Frivold, Th., Valdes, A. Next-generation Intrusion Detection Expert System (NIDES): A Summary, SRI-CSL-95-07, SRI International, Menlo Park, CA, May 1995.
Teresa F. Lunt and R. Jagannathan. A prototype real-time intrusion-detection expert system. In Proceedings of the IEEE Symposium on Security and Privacy, pages 59-66, April 1988.
Teresa F. Lunt. IDES: An intelligent system for detecting intruders. In Proceedings of the Symposium: Computer Security, Treat and Countermeasures, November 1990.

Title:	NIDX (Network Intrusion Detection eXpert system)
Authors:	Bell Communications Research, Inc., Piscataway, NJ
Attributes:
URL:
Availability:

No information yet.

References:

Bauer, D. S., Koblentz, M. E. NIDX - An expert system for real-time network intrusion detection. In Proceedings of the IEEE Computer Networking Symposium, pages 98-106, April 1988.

Title:	NSM (Network Security Monitor)
Authors:	University of California at Davis
Attributes:	network based, anomaly and misuse detection
URL:
Availability:

Superceded by NID.

References:

Heberlein, L. T., Levitt, K. N., Mukherjee, B. A method to detect intrusive activity in a networked environment. In Proceedings of the 14th National Computer Security Conference, pages 362-371, Oct. 1991.
Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., Wood, J. Networks Attacks and an Ethernet-based Network Security Monitor. In Proceedings of the 13th DOE Security Group Conference, May 1990.
Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., Wood, J., Wolber, D. A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 296-304, May 1990.

Title:	OmniGuard/ITA (OmniGuard/Intruder Alert)
Authors:	AXENT Technologies, Inc.
Attributes:	multihost based, misuse and anomaly detection
URL:	http://www.axent.com/product/ita/ita.htm
Availability:	Commercially available.

ITA detects intruders by rule or by exception. ITA is a rules engine, it processes the inputs it receives based on rules applied to the systems it is monitoring. Some rules may be designed to look at a specific sequence of events, called "footprints." If a particular footprint is detected, ITA can be programmed to take action to prevent any damage from occurring. Other rules detect behavioral anomalies within the system. These rules filter out normal activities, leaving the exceptions to be acted upon or investigated as needed. This anomaly type detection is often referred to as norm-based detection, or "baselining."

ITA is deployed in three pieces, an interface console, a manager and an agent. The interface and manager act as a configuration engine, allowing the user to easily configure the rules. Agents are intelligent processes or daemons that run on the local systems, executing the rules as configured by the user. Agents are registered to managers to provide a secure communications path. If a number of agents are registered to a manager, these agents can be organized into multiple domains. ITA can also monitor SNMP traps from other applications, such as management frameworks, firewalls and router systems. As well, ITA for NetWare receives event information directly from the operating system for performance reasons.

ITA can either generate internal reports from the ITAView Monitoring Console or it can output to a database. Included with ITA is a relational database called ITAGraph that runs on Windows based systems. This database has utilities for importing ITA output plus several pre-built reports, charts and graphs. ITA can filter logs at the agent level, consolidate them to a central location and purge or archive them based on a pre-set schedule. Additionally, log entries are formatted in a human readable format. They can be sent to a monitoring console where they are prioritized and displayed based on their importance.

Platforms supported: Solaris 2.4, 2.5 on SPARC; AIX 3.2.5, 4.1 on RS/6000 and PowerPC; HP/UX 9.05, 10.01 on PA/RISC; SunOS 4.1.3, 4.1.4 on SPARC; OSF/1 3.0 on Alpha; Digital Unix 3.2 on Alpha; IRIX 5.3, 6.2 on MIPS; NCR 2.3, 3.0 on Intel; Motorola SVR3.2, SVR4.2 (agent only) ; Sequent DYNIX/ptx versions 4.13, 4.14 and 4.2 (agent only); Windows 3.1 (GUI only); Windows 95 (GUI only); Windows NT 3.51 and 4.0 on Intel; NetWare 4.1 (manager and agent only); NetWare 3.12 (manager and agent only).

Title:	PDAT (Protocol Data Analysis Tool)
Authors:	Siemens AG, Munich, Germany
Attributes:
URL:
Availability:

No information yet.

References:

Weiss, W. R. E. and Baur, A. Analysis of audit and protocol data using methods from artificial intelligence. In Proceedings of the 13th National Computer Security Conference, pages 109-114, October 1990.

Title:	POLYCENTER Security ID (POLYCENTER Security Intrusion Detector)
Authors:	Digital Equipment Corporation
Attributes:	host based, misuse detection
URL:	http://www.digital.com/info/security/id.htm
Availability:	No longer available

POLYCENTER Security Intrusion Detector (POLYCENTER Security ID) is a real-time security monitoring application developed by Digital Equipment Corporation. It performs knowledge-based analysis of audit data to recognize and respond to simple security-relevant events. Violations such as attempted logins, unauthorized access to files, illegal setuid programs, and unauthorized audit modifications are automatically detected and acted upon.

Most security breaches involve a series of actions. Instead of looking at each action individually, POLYCENTER Security ID looks at the whole picture. Using a case method modeled after criminal investigations, POLYCENTER Security ID assigns an agent to monitor the suspect and file evidence to the case. By analyzing each security event within the context of a case, POLYCENTER Security ID can distinguish between real threats and innocent behavior and, therefore, POLYCENTER Security ID will not kick legitimate users off the system or trigger false alarms.

POLYCENTER Security ID can be configured to take countermeasures against intruders without human intervention. Security managers can work from the Manager's Graphical User Interface or from the command line.

POLYCENTER Security ID supports monitoring a single host running OpenVMS, Digital UNIX (OSF/1), Ultrix, or SunOS. It is a component of a larger set of security management applications in the POLYCENTER family, including POLYCENTER Security Compliance Manager, POLYCENTER Security Console, and POLYCENTER Security Reporting Facility.

POLYCENTER Security Intrusion Detector was formerly known as DECinspect.

Title:	RealSecure
Authors:	Internet Security Systems, Inc., Atlanta, GA
Attributes:	network based, misuse detection
URL:	http://www.iss.net/prod/rs.html
Availability:	Commercially available

RealSecure is a real-time attack recognition and response system for networks. RealSecure analyzes packets of information as they travel across the network without any loss of network performance. RealSecure knows how to interpret hostile attacks on the network by understanding the vulnerabilities they target. Once a vulnerability is exploited or intrusion is recognized, the administrator is alerted via email or paging. The series of events can be recorded, saved to a file, the connection can be terminated or RealSecure can trigger any other user defined response.

Current Features:

TCP/UDP Connection Triggering
- By IP source/destination address and mask
- By protocol
- By source/destination port
Attack Signature Triggering
- Host not responding to connection attempts
- Duplicate IPs
- Ping flooding
- TCP Half-Open scan
- Unknown IP protocol
- Source routed connections
- Identd returning bad replies (newlines, overflows)
- Rlogin and Rsh user/password/command, -froot check
- Rexec: user, passwd
- Sendmail: to user, from user, subject, vrfy, expn
  - pipe bug attempts
  - decode attempts
  - WIZ attempts
  - DEBUG attempts
- RIP: route changes
- FTP: user/passwd, filename for get or put
  - site exec attempts
  - cwd ~root attempts
- POPmail: user/passwd
- HTTP: web traffic logging
  - PHF attempts
- RPC logging
  - rexd
  - rwalld
  - admind
  - bootparam
  - statd
  - pcnfsd
  - ypupdated
Responses (activated by a TCP/UDP Connection or Attack Signature)
- Ignore this event
- Display this connection's data in a terminal window
- Kill this connection (TCP only)
- Log the connection's raw data to a file (TCP/UDP/ICMP)
- Log the connection's textual data to a file (TCP/UDP/ICMP)
- Decode the event and pass the data to:
  - a file
  - an administrator via email
  - standard input of a custom user program
Reporting
- Play back logged data in a terminal window (Raw Logs only)
Availability:
- SunOS 4.1.X
- Solaris 2.3 and higher
- Linux (kernel versions 1.3 and higher)

Title:	RETISS (REal-TIme expert Security System)
Authors:	University of Milano, Italy
Attributes:
URL:
Availability:

No information yet.

References:

Carettoni, F., Castano, S., Martella, G., Samaratti, P. RETISS: A Real Time Security System for Threat Detection using Fuzzy Logic. In Proceedings of the 25th Annual IEEE International Carnahan Conference on Security Technology, pages 161-167, Oct. 1991.

Title:	SAINT (Security Analysis INtegration Tool)
Authors:	National Autonomous University of Mexico
Attributes:	multihost based, misuse detection
URL:
Availability:

SAINT is a data analysis tool that can be used as a simple intrusion detection system to increase security on a UNIX system. By collecting data from many different sources into a single place, the tool allows for integrated analysis of the data for detection of problems that may otherwise go undiscovered. After SAINT homogenizes the data into a common data format, the events are analyzed to detect relationships that may indicate possible problems. The current version of SAINT produces all reports in Spanish.

References:

Diego M. Zamboni. SAINT: A security analysis integration tool. In Proceedings of the Systems Administration, Networking and Security Conference, May 1996.

Title:	SecureNet PRO
Authors:	MimeStar, Inc.
Attributes:
URL:	http://www.mimestar.com/
Availability:	Commercially available

SecureNet PRO combines several key technologies, including session monitoring, firewalling, hijacking, and keyword-based intrusion detection. Once set up, SecureNet PRO automatically watches everything that goes on in a network. Hacking attempts are detected and responded to in real-time, using SecureNet's advanced integrated intrusion detection system. Suspicious connections can be automatically killed or logged for later playback. Also, network administrators can be notified of all suspicious events via e-mail.

SecureNet PRO also offers advanced intrusion response, using a technique known as TCP hijacking. Hijacking allows the administrator to instantly seize the connection of any user on his local area network. The user remains completely locked out while the administrator performs actions such as damage control or evidence collection.

References:

Title:	SIDS (Statistical Intrusion Detection System)
Authors:	SRI International
Attributes:	host based, anomaly detection
URL:
Availability:

No information yet.

References:

Javitz, H. S., Denning, D. E., Neumann, P. G. Analytical techniques development for a Statistical Intrusion Detection System (SIDS) based on accounting records. SRI International, Menlo Park, CA, July 1986, not available for distribution.

Title:	Stake Out
Authors:	Harris Computer Corporation
Attributes:
URL:	http://www.stakeout.harris.com/
Availability:	Commercially available

Stake Out is an intelligent agent designed to monitor TCP/IP based network for suspicious behavior. It provides the ability to monitor a network segment from a single location providing alert and logging capabilities for all systems attached.

References:

Stake Out Network Surveillance White Paper, Harris Computer Corp.

Title:	Stalker
Authors:	Haystack Laboratories, Inc., Austin, TX
Attributes:	multihost based, misuse detection
URL:	http://www.haystack.com/stalk.htm
Availability:	Commercially available

Stalker is a commercial UNIX system security monitoring tool developed by Haystack Laboratories. Stalker identifies intruders and internal misuse by analyzing audit trail data and reporting on suspicious user and system activities. A misuse detector analyzes the audit trail data looking for events that correspond to known attack techniques or known system vulnerabilities. A querying and reporting facility reduces the volume of audit trail data to find only the audit records of interests. The collection and storage of audit trails from multiple UNIX systems is managed on a single server by an audit control and storage manager. Stalker is available for Sun, IBM, and HP UNIX systems.

Stalker was originally known as Haystack.

References:

Smaha, S. E., Winslow, J. Misuse detection tools. Computer Security Journal 10(1994)1, Spring, pages 39-49.

Title:	STAT (State Transition Analysis Tool)
Authors:	Phil Porras, University of California at Santa Barbara
Attributes:	host based, misuse detection
URL:
Availability:

The State Transition Analysis Tool (STAT) is an advanced rule-based expert system that analyzes the audit trails of multi-user computer systems in search of impending security violations. STAT represents state transition diagrams within its rule-base and uses them to seek out those state transitions within the target system that correspond to known penetration scenarios. Unlike comparable analysis tools that pattern match sequences of audit records to the expected audit trails of known penetrations, STAT rules focus on the effects that the individual steps of a penetration have on the state of the computer system. The resulting rule-base is not only more intuitive to read and update than current penetration rule-bases, but also provides greater functionality to detect impending compromises.

Superceded by USTAT.

References:

Porras, P. STAT - A State Transition Analysis Tool for Intrusion Detection. Technical Report TRCS93-25, Computer Science Department, University of California at Santa Barbara, November 1993.

Title:	Swatch
Authors:	Stephen Hansen and Todd Atkins, Stanford University
Attributes:	multihost based, limited misuse detection
URL:
Availability:	Public domain

Swatch (Simple WATCHer) is a program for UNIX system logging and management developed at the Electrical Engineering Computer Facility at Stanford University. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to a log file and alert system administrators immediately to serious system problems as they occur.

References:

Stephen E. Hansen and Todd Atkins. Automated system monitoring and notification with Swatch. In Proceedings of the USENIX Systems Administration (LISA VII) Conference, pages 145-155, November 1993.

Title:	TIM (Time-based Inductive Machine)
Authors:	University of Illinois at Urbana-Champaign
Attributes:
URL:
Availability:

No information yet.

References:

Teng, H. S., Chen, K., Lu, S. C. Security audit trail analysis using inductively generated predictive rules. In Proceedings of the 6th Conference on Artificial Intelligence Applications, pages 24-29, May 1990.
Teng, H. S., Chen, K., Lu, S. C. Adaptive real-time anomaly detection using inductively generated sequential patterns. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 278-284, May 1990.

Title:	UNICORN (Unicos Realtime NADIR)
Authors:	Los Alamos National Laboratory
Attributes:
URL:	http://www.EnGarde.com/~mcn/unicorn.html
Availability:

UNICORN (Unicos Realtime NADIR) is an expansion on the NADIR project. Unicorn will accept audit logs from Unicos (Cray Unix), Kerberos, and our common file system, then analyze them and attempt to detect intruders in realtime. Because Unicorn was designed for Kerberos and Unix, the design can be applied to many other network configurations.

References:

Christoph, G. G., Jackson, K. A., Neumann, M. C., Siciliano, Ch. L. B., Simmonds, D. D., Stallings, C. A., Thompson, J. L. UNICORN: Misuse Detection for UNICOS. Proceedings of Supercomputing '95.
Jackson, K., Neumann, M., Simmonds, D., Stallings, C., Thompson, J., Christoph, G. An Automated Computer Misuse Detection System for UNICOS. Proceedings of the Cray Users Group Conference, Oct. 1994.

Title:	USTAT (State Transition Analysis Tool for UNIX)
Authors:	Koral Ilgun, University of California, Santa Barbara
Attributes:	host based, misuse detection
URL:	http://www.cs.ucsb.edu/TRs/TRCS93-26.html
Availability:

USTAT is the first prototype of the STAT model, in particular for SunOS 4.1.1. USTAT makes use of the audit trails that are collected by the C2 Basic Security Module of SunOS and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records.

Jonathan Wood has ported USTAT to Solaris 2.x, and is currently investigating approaches to a distributed intrusion detection system using USTAT. This system will collect data from multiple hosts on a network and process the data as a unified audit trail. Other research directions include incorporating USTAT with other IDS which complement its capabilities (i.e. anomaly detection systems), and expanding its auditing capabilities to take advantage of the extra information gleaned from gathering audit data from networked machines.

References:

Ilgun, K. USTAT - A Real-time Intrusion Detection System for UNIX. Technical Report TRCS93-26, Computer Science Department, University of California at Santa Barbara, December 1993.

Title:	Watcher
Authors:	Kenneth Ingham, University of New Mexico
Attributes:
URL:
Availability:

A configurable and extensible system monitoring tool that issues a number of user-specified commands, parses the output, checks for items of significance, and reports them to the system administrator.

Title:	WebStalker Pro
Authors:	Haystack Laboratories, Inc., Austin, TX
Attributes:	host based, misuse detection
URL:	http://www.haystack.com/webstalk.htm
Availability:	Commercially available

WebStalker Pro is a version of Stalker that has been customized for use on World Wide Web servers. In addition to Stalker's features, WebStalker Pro checks for illegal termination of the web server, or an attempt to modify its content. In reaction, WebStalker Pro can do everything that Stalker can, and also restart the web server software.

References:

Title:	Wisdom and Sense
Authors:	Los Alamos National Laboratory, Oak Ridge National Laboratory
Attributes:	host based, anomaly detection
URL:
Availability:

No information yet.

References:

Liepins, G. E., Vaccaro, H. S. Intrusion Detection: Its role and validation. Computers & Security 11/1992, pages 347-355.
Liepins, G. E., Vaccaro, H. S. Anomaly detection purpose and framework. In Proceedings of the 12th National Computer Security Conference, pages 495-504, Oct. 1989.
Vaccaro, H. S., Liepins, G. E. Detection of anomalous computer session activity. In Proceedings of the Symposium on Research in Security and Privacy, pages 280-289, May 1989.