Phillip A. Porras,Peter G. Neumann

techreport

This paper summarizes the EMERALD (Event Monioring Enabling Responses to Anomalous Live Disturbances) environment, a distributed scalable tool suite for tracking malicious activity through and across large networks. EMERALD introduces a highly distributed, building-block approach to network surveillance, attack isolation, and automated response. It combines models from research in distributed high-volume event-correlation methodologies with over a decade worth of intrusion-detection research and engineering experience. The approach is novel in its use of highly distributed, independently tunable, surveillance and response monitors that are deployable polymorphically at various abstract layers in a large network. These monitors demonstrate a streamlined intrusion-detection design that combines signature-analysis with statistical profiling to provide localized real-time protection of the most widely used network services on the Internet. Equally important, EMERALD introduces a recursive framework for coordinating the dissemination of analyses from the distributed monitors to provide a global detection and response capability to counter attacks occurring across and entire network enterprise. Further, EMERALD introduces a versatile application programmers' interface that enhances its ability to integrate with the target hosts and provides a high degree of interoperability with third-party tool suites.

Menlo Park, CA 94025

SRI International

Porras

1 - 16

2001-01-01

intrusion detection, anomaly detection, misuse detection, network security,,coordinated attacks, information warfare, system survivability