Intrusion detection has traditionally been performed at th operation system (OS) level by comparing expected and observed system resource usage.  OS intrusion detection systems (OSIDS) can only detect intruders, internal or external, who perform specific system actions in a specific sequence or those intruders whose behavior pattern statistically varies from a norm.  Internal intruders are said to comprise at least fifty percent of intruders {ODS99}, but OS intrusion detection systems are frequently not sufficient to catch such intruders since they neither significantly deviate from expected behavior, nor perform the specific intrusive actions becase tehy are already legitimate users of the system. We hypothesize that application specific intrusion detection systems can use the semantics of the application to detect more subtle, stealth-like attacks such as those carried out by internal intruders who possess legitimate access to the system and its data and act within thier bound of normal behavior, but who are actually abusing the system.  to test this hypothesis, we developed two extensive case studies to explore what opportunities exist for detecting intrusions at the application level, how effectively an application intrusion detection system (AppIDS) can detect the intrusion, and the possibility of cooperation between an AppIDS an OS IDS to detect between the OS IDS and AppIDS.  In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be st for the AppIDS\’ relations that differentiate normal and anomalous behavior therby improbing the overall effectiveness of the IDS. We also investigated the possibility of cooperation between and OS IDS and an AppIDS.  From this exploration, we developed a high-level bi-diretional communication interface in whichone IDS could request information from the other IDS, which could respond accordingly.  Finally, we explored a possible structure of an AppIDS to determine which components were generic enough ouse for multiple AppIDS.  Along with these generic components, we also explored possible tools to assist inthe creation of an AppIDS.

The design of authentication protocols has proven to be surprisingly error prone.  We suggest that this is partly due to a language problem.  The objectives of entity authentication are usually given in terms of human encounters while we actualy implement message passing prtotocols.  We propose various translations of the high level objectives into a language appropriate for communication protocols.  In addition, protocols are often specified at too low a level of abstraction.  We will argue that encryption should not be used as a general primitive as it does not capture the specific purpose for using a cryptographic function in a particular protocol.

Suppose that Bob has a database D and that Alice wants to perform a search query q on D (e.g.,

We present a formal model of security monitoring that distinguishes two different methods of recording information (logging) and to different methods of analyzing information (auditing).  From this model we draw implications for the design and use of security monitoring mechanisms.  We then apply the model to security mechanisms for statistical databases, monitoring mechanisms for computer systems, and backups, to demonstrate the model\‘s usefulness.

Intrusion detection systems have usually been developed using large host-based components. These components impose an extra load on the system where they run (sometimes even requiring a dedicated system) and are subject to tampering or disabling by an intruder.  Additionally, intrusion detection systems have usually obtained information about host behavior through indirect means, such as audit trails or network packet traces. This potentially allows intruders to modify the information before the intrusion detection system obtains it, making it possible for an intruder to hide his activities.  In this document I propose work that will attempt to show that it is possible to perform intrusion detection using small sensors embedded in a computer system. These sensors will look for signs of specific intrusions.  They will perform target monitoring by observing the behavior of the system directly, instead of through an audit trail or other indirect means. Furthermore, by being built into the code of the operating system and its programs, they may not impose a considerable extra load on the host they monitor.  I will also explore the possibility of applying a group of sensors built to detect known intrusions, to detecting new intrusions. If this is shown to be possible, it would be a step towards determining the types of data that need to be collected to successfully detect new intrusions.  The work I propose is divided in four stages: a) building the necessary infrastructure for the implementation of the sensors, b) implementing sensors for detecting known intrusions, c) testing new attacks against the group of implemented sensors, and d) performing analysis on the data obtained in step (c) to determine if the existing sensors can be used to detect new attacks.

This poster presents a new approach and a tool to protect freely distributed software applications against unauthorized usage.  The approach aims to provide an optimal degree of security while simultaneously maintaining an acceptable performance level.  The tool demonstrates that the new approach combined with powerful smartcards with high processing and storage capacity, permit the implementation of a practical software protection system where decryption and execution of software fragments are handled by the smartcard, and no longer by the host.

We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder\‘s traffic transits.  We give an overview of the system\‘s design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility.  To achieve these ends, Bro is divided into an \“event engine\” that reduces a kernelfiltered network traffic stream into a series of higherlevel events, and a \“policy script interpreter\” that interprets event handlers written in a specialized language used to express a site\‘s security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog.  We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the four applications integrated into it so far: Finger, FTP, Portmapper and Telnet.  The system is publicly available in source code form.

Traditional computer security has often emphasized prevention, and to a lesser degree, the detection of system security violations.  However, it is recognized that the forensic aspect to the overall model of computer security is equally as important.  The area of computer forensics lends itself heavily to the response of a criminal violation that has already occurred ono a system.  This paper views a forensic application within the framework of Intrusion Detection and details work accomplished on a prototype anomaly Intrusion Detection system.

We discuss the KDD process in \“data-flow\” environments, where unstructured and time dependent data can be processed into various levels of structured and semantically-rich forms for analysis tasks.  Using network intrusion detection as a concrete application example, we describe how to construct models that are both accurate in describing the underlying concepts, and efficient when used to analyze data in real-time.  We prsent procedures for analyzing frequent patterns from lower level data and constructing appropriate features to formuate higher level data.  The features generated from various levels of data have different computational costs (in time and space).  We show that in order to minimize the time required in using the classification models in real-time environment, we can exploit the \“necessary conditions\” associated with the low-cost features to determine whether some high-cost features need to be computed and the corresponding classification rules need to be checked.  We have applied our tools to the problem of building network intrusion detection models.  We report our experiments using the network data provided as part of the 1998 DARPA Intrusion detection Evaluation program.  We also discuss our experience in using the mined models in NFR, a real-time network intrusion detection system.

After summarizing the EMERALD architecture and the evolutionary process from which EMERALD has evolved, this paper focuses on our experienceto date in designing, implementing, and applying EMERALD to various types of anomalies and misuse.  The discussion addresses the fundamental importance of good software engineering practice and the importance of the system architecture….