Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference. (1997)  Home/Search   Document Details and Download   Summary   Related Articles   Check

....fairly simple flow and connection models that it uses for attack detection, but provides efficient response to detected attacks. Combining signature and anomaly based detection methods of intrusion detection systems (such as deployed in NetRanger [3] NID [4] SecureNet PRO [17] RealSecure [11] [21] and NFR NID [19] with D WARD would likely enhance detection accuracy. Several DDoS defense systems [16] and [1] perform anomaly detection (usually at the victim network) by observing numerous traffic parameters and defining a range of allowed values based on the analysis of packet trace data. ....

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference, October 1997.

....intrusive. Numerous research as well as commercial IDSs have been developed using anomaly and or misuse detection techniques. These systems are generally classified into host based IDSs (e.g. USTAT [4] network based IDSs (e.g. NetSTAT [14] NFR [11] and distributed IDSs (e.g. EMERALD [10]) As discussed earlier, all the current IDSs detect low level attacks or anomalies; none of them can capture the logical steps or attack strategies behind these attacks. It is usually up to the human users to discover the connections between alerts. However, in the intrusion intensive ....

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, 1997.

....in an NFS server, to demonstrate both feasibility and efficiency of storage based intrusion detection. In particular, both the performance overhead and memory required (152 KB for 4730 rules) are minimal. 1 Introduction Many intrusion detection systems (IDSs) have been developed over the years [1, 23, 29], with most falling into one of two categories: network based or host based. Network IDSs (NIDS) are usually embedded in sniffers or firewalls, scanning traffic to, from, and within a network environment for attack signatures and suspicious traffic [5, 25] Host based IDSs (HIDS) are fully or ....

P. A. Porras and P. G. Neumann. EMERALD: event monitoring enabling responses to anomalous live disturbances. National Information Systems Security Conference, pages 353--365, 1997.

....1. Introduction In response to attacks and potential attacks against enterprise networks, administrators are increasingly deploying intrusion detection systems (IDSs) These systems monitor hosts, networks, critical files, and so forth, using a variety of signature and probabilistic techniques [1, 2]. The use of such systems has given rise to another difficulty, namely, correlating a potentially large number of alerts from heterogeneous sensors. To the degree that this has been addressed in current systems, heuristic techniques have been used. In this paper, we describe a probabilistic ....

.... used to achieve a hierarchy of alert correlation defined as inferred thread (within sensor) security incident (between sensor) and correlated attack report (between sensor and attack step) We then present preliminary results from the alerts generated by various EMERALD and third party monitors [1, 2]. 2. Sensor Correlation and Alert Fusion In [3] we introduced probabilistic methods for sensor correlation. Specifically, we considered two closely coupled sensors, a TCP misuse monitor and an asset availability monitor. Both are based on Bayes inference [4] and the former sensor is aware of ....

Porras, P. and Neumann, P. "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", National Information Security Conference, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html

....vulnerability is considered intrusive. Numerous research as well as commercial IDSs have been developed using anomaly and or misuse detection techniques, including host based IDSs (e.g. USTAT [8] network based IDSs (e.g. NetSTAT [21] NFR [16] and distributed IDSs (e.g. AAFID [18] EMERALD [15]) All current IDSs are aimed at detecting low level attacks or anomalies; none can capture the logical steps or attack strategies behind these attacks. It is usually up to human users to discover the connections between alerts. However, in intrusion intensive situations, IDSs may generate large ....

....other in time tend not to relate to each other. Therefore, we have little reason to treat them as a single hyper alert. The reason that we allow a hyper alert to be aggregated from multiple alerts is to have flexibility in reasoning about alerts. As we discussed earlier, an IDS (e.g. EMERALD [15]) may generate multiple alerts for the same attack. Thus, having the current definition of hyper alert gives more opportunity for alert correlation than not allowing alert aggregation. Nevertheless, it is desirable to exclude irreasonable situations such as the one pointed out earlier. In the ....

[Article contains additional citation context not shown here]

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, National Institute of Standards and Technology, 1997.

....IDS based on multiple autonomous agents that can be added and removed from a system on the fly. There is no facility for automated handling of Intrusions, i.e. AAFID is a passive IDS. The two schemes that are most closely related to Indra are Cooperating Security Managers (CSM) 5] and EMERALD [6]. CSM is an peer based IDS designed for use in a distributed network environment. Each CSM acts like a host based local IDS for its host, while additionally cooperating with other CSMs without the use of a central controller. EMERALD is a powerful distributed IDS that is active and distributed. ....

P. A. Porras and P. G. Neumann. EMERALD: event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353--365, October 1997.

....subsystem itself intrusion tolerant, since it may still be e#ective if some of its components fail. 3.1 Intrusion Detection Our intrusion detection systems feature diverse event sources, inference techniques, and detection paradigms. They include EMERALD host, network, and protocol monitors [19,15,20,29], as well as embedded application monitors [1] Di#erent sensors cover di#erent portions of the detection space, and have di#erent detection rates, false alarm ratios, and operational conditions (e.g. the maximum rate of incoming events that can be handled) Their combination allows detecting ....

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In National Information Security Conference, Oct. 1997.

....is based on multiple autonomous agents that can be added and removed from a system on the fly. There is no facility for automated handling of Intrusions, i.e. AAFID is a passive IDS. The two schemes that are most closely related to Indra are Cooperating Security Managers (CSM) 5] and EMERALD [6]. CSM is an peer based IDS designed for use in a distributed network environment. Each CSM acts like a host based local IDS for its host, while additionally cooperating with other CSMs without the use of a central controller. EMERALD is a powerful distributed IDS that is active and distributed. ....

P. A. Porras and P. G. Neumann. EMERALD: event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353--365, October 1997.

....or the network, having gained higher privileges. Ryan et al. 17] has also suggested that every user leaves a print on the terminal, which could be picked up using artificial neural networks (ANNs) User profile based en deavors include statistical based methods such as IDES [5] and EMERALD [15], which create multi level usage profiles (i.e. at user or group levels) DuMouchel [6] created contiguous command sequence based probability transition matrices, which serve as user profiles. Schonlau et al. [18] test a variety of statistical methods for building user profiles. Clustering is an ....

P. A. Porras, P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In 20th National Information Systems Security Conference, October 1997.

No context found.

P.A. Porras and P.G. Neumann. Emerald: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, pages 353--365, Baltimore, MD, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353--365, Baltimore, Maryland, Oct. 7--10, 1997. National Institute of Standards and Technology /National Computer Security Center.

No context found.

Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the 20th National Information Systems Security Conference. (1997)

No context found.

. A. Porras and P.G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", Proceedings of the National Information Systems Security Conference, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proc. 20th NIST-NCSC National Information Systems Security Conference, 1997.

No context found.

Porras, P. A. and Neumann, P. G. (1997). Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th NIS Security Conference.

No context found.

P. A. Porras and P. G. Neumann. Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proc. 20th NISTNCSC National Information Systems Security Conference, pages 353--365, 1997.

No context found.

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997.

No context found.

Phillip A. Porras and Peter G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.

No context found.

Phillip A. Porras and Peter G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.

No context found.

P A Porras, P G Neumann, "EMERALD: event monitoring enabling response to anomalous live disturbances", Proceedings 20th National Information Security Conference, NIST 1997

No context found.

P. Porras and P. Neumann, "EMERALD: Event monitoring enabling responses to anomalous live disturbances," in Proc. 20th NIST-NCSC National Information Systems Security Conference, pp. 353--365, 1997.

No context found.

Porras, P. A., and Neumann, P. G. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proc. 20th NIST-NCSC National Information Systems Security Conference (1997), pp. 353--365.

No context found.

Porras P., Neumann P., "EMERALD: Event monitoring enabling responses to anomalous live disturbances". Proceedings of the 20 National Information Systems Security Conference, Baltimore, Maryland 1997

No context found.

P.A. Porras and P.G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In 19th National Information System Security Conference (NISSC), 1997.

No context found.

P.A. Porras and P.G. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, Proceedings of the Nineteenth National Computer Security Conference, p353-365, Baltimore, MD, October 1997.

No context found.

P. Porras, and P. Neumann, "EMERALD: Event Monitoring Enabling Response to Anomalous Live Disturbances," in Proceedings 20th National Information Systems Security Conference, Oct 7, 1997.

No context found.

P. Porras and P. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the National Information Systems Security Conference, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proc. 20th NIST-NCSC Nat'l Information Systems Security Conf., pages 353--365, 1997.

No context found.

P. A. Porras and Peter G. Neumann. Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the National Information Systems Security Conference, 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.

No context found.

Porras, P. and P. Neumann, EMERALD: Event monitoring enabling responses to anomalous live disturbances, in: Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD, 1997, pp. 353--365.

No context found.

Porras, P. and Neumann, P. "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Distrurbances", National Information Security Conference, 1997. http://www.sdl.sri.com/emerald/emerald-niss97.html

No context found.

P.A. Porras and P.G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.

No context found.

P. Porras and P. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, 1997.

No context found.

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference, October 1997.

No context found.

P.A. Porras and P.G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference, pages 353-365, Baltimore, Maryland, 22-25 October 1997. NIST/NCSC.

No context found.

P.A. Porras and P.G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", Proceedings of the Nineteenth National Computer Security Conference, October 1997.

No context found.

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353--365, Baltimore, Maryland, Oct. 7--10, 1997.

No context found.

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997.

No context found.

. A. Porras and P.G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", Proceedings of the National Information Systems Security Conference, October 1997.

No context found.

P. A. Porras and P. G Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of the 20 Information Systems Security Conference, pages 353-356, Baltimore, Maryland, Oct. 7-10 1997. National Institute of Standards and Technology/National Computer Security Center. 54

No context found.

Phillip A. Porras and Peter G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, " in Proceedings of the Nineteenth National Computer Security Conference. 1990, May, pp. 296--304.

No context found.

Phillip A. Porras and Peter G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, 1997.

No context found.

P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", Proceedings of the 19 National Computer Security Conference, Baltimore, MD, Oct. 1997, pp. 353-365.

No context found.

PORRAS, P. A., AND NEUMANN, P. G. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference (May), 1990, pp. 296--304.

No context found.

P. Porras and P. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference, October 1997.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC