L. T. Heberlein, B. Mukherjee, and K. N. Levitt. Internet security monitor: An intrusion detection system for large-scale networks. In Proceedings of the 15th National Computer Security Conference, 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the former type monitors activity on a single computer, whereas the latter type monitors activity over a network. Networkbased IDS can monitor information collated from audit trails from many different hosts (multi host monitoring) or they can monitor network traffic. NADIR [22] and DIDs [21] are examples of IDS that do both multi host and network traffic monitoring; NSM [20] is an IDS that monitors only network traffic. Regardless of other architectural considerations, any IDS must have three components: Data collection (and reduction) data classification and data reporting. Data ....

L. T. Heberlein, B. Mukherjee, and K. N. Levitt. Internet security monitor: An intrusion detection system for large scale networks. In Proceedings of the 15th National Computer Security Conference, 1992.

....the former type monitors activity on a single computer, whereas the latter type monitors activity over a network. Network based IDS can monitor information collated from audit trails from many different hosts (multi host monitoring) or they can monitor network traffic. NADIR [26] and DIDs [25] are examples of IDS that do both multi host and network traffic monitoring; NSM [24] is an IDS that monitors only network traffic. Regardless of other architectural considerations, any IDS must have three components: Data collection (and reduction) data classification and data reporting. Data ....

Heberlein L, Mukherjee B, Levitt K. Internet Security Monitor: An Intrusion Detection System for Large Scale Networks. Proceedings of 15th National Computer Security Conference, 1992.

....an unmonitored host and then back onto the monitored network. See Figure 5. However, in many environments, hosts without monitors or even audit trails are a reality, so we are working with a technology we call thumbprinting to provide some measure of accountability through unmonitored hosts [HML92] Suppose a user u1 on host A performs a remote login to user u2 on host B, and from host B, performs a remote login to user u3 on host C. Furthermore, hosts A and C are monitored hosts, and B is unmonitored. uid: findname pid: 801 host.cs.chair.edu uid: newname pid: 21017 uid: legitimate pid: ....

....line or entering text in an editor) If these assumptions hold, we can determine, with some degree of assurance, whether user u3 on host C is really the same as user u1 on host A by using what we call thumbprints. A thumbprint is a profile of connection activity over a specified period of time [HML92] If two connections have similar thumbprints over several segments of time, then we can say with some amount of certainty that the two connections are really part of an extended connection. For example, we can view the two connections discussed previously, A to B and B to C, as a single extended ....

L. Heberlein, B. Mukherjee, and K. Levitt. Internet security monitor: An intrusion-detection system for large-scale networks. Proceedings of the 15th National Computer Security Conference, 1992.

No context found.

L. T. Heberlein, B. Mukherjee, and K. N. Levitt. Internet security monitor: An intrusion detection system for large-scale networks. In Proceedings of the 15th National Computer Security Conference, 1992.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC