This paper deals with variations of the quadratic sieve integer factoring algorithm.  We describe what we believe is the first implementation of the hypercube multiple polynomial quadratic sieve with two large primes.  We have used this program to factor many integers with up to 116 digits.  Our program appears to be many times faster than the (non-hypercube) multiple polynomial quadratic sieve with two large primes.

With the prevalence of Distributed Denial of Service (DDOS) attacks, detection and containment of malicious attacks of networks by crackers has gained prominence.  In DDOS attacks and in cracker attacks in general, the usual technique of crackers is to infiltrate a network through a vulnerable host and then launch further attacks.  Software that detects vulnerabilities and intrusions in a single host exists today.  We propose a novel distributed scheme that uses the knowledge of a single system (that it has been the target of an intrusion attempt) to be disseminated to its friendly neighbors, so that they can take preventive measures against the intruder.

This paper presents a new technique for intrusion detection based on concurrent monitoring of user operations.  In this scheme, prior to starting a session on a computer, an auxiliary process called watchdog first queries users for a scope file and then generates a table called a sprint-plan.  The sprint-plan is composed of carefully derived assertions that can be used as a basis for concurrent monitoring of user commands.  The plan is general enough to allow a normal user to perform his task without much interference from the watchdog or system administrator and is specific enough to detect intrusions, both external and inernal.  A distributed watchdog process architecture based on the notion of verifiable assertions is presented.  This scheme is a signigicant enhancement over the traditional approaches that rely on audit trail analysis in that the intrusion detection latency could be much shorter.

This dissertation explores an immunological model of distributed detection, called negative detection, and studies its performance in the domain of intrusion detection on computer networks…...

This paper presents an up-to-date and thorough survey of the research in the field of computer and network intrusion detection, with a taxonomy of intrusion detection system features, and a classification of the surveyed systems according to this taxonomy….

A method for anomaly detection is introduced in which normal is defined by short-range correlations in a process system calls.  Initial experiments suggest that the definition is stable during normal behavior for standard UNIX programs.  Further, it is able to detect several common intrusions involving sendmail and lpr.  This work is part of a research program aimed at building computer security systems that incorporate the mechanisms and algorithms used by natural immune systems.

In this paper we discuss our research in developing general and systematic methods for intrusion detection.  The key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavior, and use the set of relevant system features to compute (inductively learned) classifiers that can be recognize anomalies and known intrusions.  Using experiments on the sendmail system call data and the network tcpdump data, we demonstrate that we can construct concise and accurate classifiers to detect anomalies.  We provide an overview on two general data mining algorithms that we have implemented: the association rules algorithm and the frequent episodes algorithm.  These algorithms can be used toi compute the intra- and inter- audit record paterns, which are essential in describing program or user behavior.  The discovered patterns can guide the audit data gathering process and facilitate feature selection.  To meet the challenges of both efficient learning (mining) and real-time detection, we propose an agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents.

This paper focuses on intrusion detection and countermeasures with respect to widely-used operating systems and networks.  The design and architecture of an intrusion detection system built from distributed agents is proposed to implement an intelligent system on which data mining can be performed to provide global, temporal views, of an entire networked system. A starting point for agent intelligence in our system is the research into the use of machine learning over system call traces from the privileged sendmail program on UNIX.  We use a rule learning algorithm to classify the system call traces for intrusion detection purposes and show the results.

This paper investigates the subject of intrusion detection over networks.  Existing network-based IDS’s are categorized into three groups and the overall architecture of each group is summarised and assessed.  A new methodology to this problem is then presented, which is inspired by the human immune system and based on a novel artificial immune model.  The architecture of the model is presented and its characteristics are compared with the requirements of network-based IDS\‘s.  The paper concludes that this new approach shows considerable promise for future network-based IDS\‘s.  The paper concludes that this new approach shows considerable promise for future network-based IDS\‘s,

Society\‘s increasing reliance on networked information systems too support critical infrastructures has prompted interest in making the information systems survivable, so that they can continue to perform critical functions even in the presence of vulnerabilities susceptible to malicious attacks, it is necessary to detect attacks and isolate failures resulting from attacks before they damage the system by impacting functionality, performance or security.  The key research problems in this context include: *detecting in-progess attacks before they cause damage, as opposed to detecting attacks after they have succeeded, * localizing and/or minimizing damage by isolating attacked components in real-tine, and * tracing the origin of attacks. We address the detection problem by real-time event monitoring and comparison against events known to be unacceptable.  Real-time detection differentiates our approach from previous works that focus on intrusion detection by post-attack evidence analysis.  We address the isolation and tracing problems by supporting automatic initiation of reactions.  Reactions are programs that we develop to respond to attacks.  A reaction\‘s primary goal is to isolate compromised components and prevent them from damaging other components.  A reaction\‘s secondary goal is to aid in tracing the origin of attack, e.g., by providing an illusion of success to the attackers (enticing them to the attack) while ensuring that the attack causes no damage.  Our approach to detecting attacks is based on specifying permissible process behaviors as logical assertions on sequences of system calls and conditions on the values of system call arguments.  We compile the specifications into finite state automata for efficient runtime detection for deviations from the specified (and hence permissible) behavior.  We seamlessly integrate detection and reaction by designing our specification anguage to also allow specification of reactions.

CEDMOS is the Composite Event detection and Monitoring System developed for DARPA by MCC.  CEDMOS recognizes patterns of events called complex events according to userauthorized event specifications.  CEDMOS is a general event processing technology that includes: *a core infrastructure for event detection which implements a general, efficient event processing model *a graphical programming environment for the creation and manipulation of composite events; and *agent shells for rapid development of customized agents for event gathering, composite event detection, and dissemination of composite events. This paper gives the theoretical basis for the CEDMOS event procesing model.  The model is a restriction of a more general event processing model that takes into consideration a number of practical issues.  In addition, issues that arose in the deployment of CEDMOS to some particular domains are discussed.  Unlike many other event processing technologies, CEDMOS is not tied to databases or other technologies and can be applied to many different domains.

Many emerging applications (e.g., teleconference, real-time information services, pay per view, distrubuted interactive simulation, and collaborative work) are based upon a group communications model, i.e., they require packet delivery from one or more authorized senders to a very large number of authorized receivers.  As a result, securing group communications (i.e., providing confidentiality, integrity, and authenticity of messages delivered between group members) will become a critical networking issue. In this paper, we present a novel solution to the scalability problem of group/multicast key management.  We formalize the notion of a secure group as a triple (U, K, R) where U denotes a set of users, K a set pf keys held the users, and R a user-key relation.  We then introduce key graphs to specify secure groups.  For a special class of key graphs, we present three strategies for securely distributing rekey messages after a join/leave, and specify protocols for joining and leaving a secure group.  The rekeying strategies and join/leave protocols are implemented in a prototype group key server we have built.  We present measurement results from experiments and discuss performance comparisons.  We show that our groujp key management service, using any of the three rekeying strategies, is scalable to large groups with frequent joins and leaves.  In particular, the average measured processing time per join /leave increases linearly with the logarithm of group size.

The 4.2 Berkeley Software Distribution of the Unix operating system (4.2BSD for short) features an extensive body of software based on the TCP/IP family of protocols.  In particular, each 4.2BSD system trusts some set of other systems, allowing users logged into trusted systems to execute commands via a TCP/IP network without supplying a password.  These notes describe how the design of TCP/IP and the 4.2BSD implementation allow users on untrusted and possibly very distant hosts to masquerade as users on trusted hosts.  Bell Labs has a growing TCP/IP network connecting machines with varying security needs; perhaps steps should be taken to reduce their vulnerability to each other.