Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....so far. Clearly the ecient approach, as has been adopted for Argus, appears to be one that uses a mix of both these systems so as to use the strengths of both these systems. 1.3 Organization of this report The rest of the report is organized as follows. In Chapter 2, we justify our choice of NFR [8] as an o the shelf knowledge based component, describe the internals of this system and give the details of our deployment of NFR. This chapter also contains our perspective on the strengths and short comings of NFR. In Chapter 3, we describe the design of Argus and the rationale behind the ....

....threshold Info Queue Rec Queue Get connection records (from Data cleansers) Classify If anomaly and conf threshold, send conn rec to manger randomly send normal data to manager. Figure 3: Anomaly Detection Agent 4. 3 Driver for NFR We use an o the shelf knowledge based system NFR [8] that contains its own connection record creator, an attack signature database and a rule application engine 34 (misuse agent) To integrate NFR into Argus, we needed to build a driver that interfaces Argus with NFR. The functionality that the driver had to handle was 1. Transfer NFR alert ....

Network Flight Recorder 5.0, NFR Security Inc 2001. http://www.nfr.net 50

....1 features may cost 1, level 2 features may cost 5, level 3 features may cost 10, and level 4 features may cost 100. These estimations have been verified empirically using a prototype system for evaluating our ID models in real time that has been built in coordination with Network Flight Recorder [20]. 3 Cost Models A cost model formulates the total expected cost of intrusion detection. It considers the trade off among all relevant cost factors and provides the basis for making appropriate cost sensitive detection decisions. We first examine the cost trade off associated with each possible ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....detection systems are monolithic, it is also hard to add new and complementary detection modules to an existing IDS. Some of the recent research and commercial IDSs have started to provide built in mechanisms for customization and extension. For example, both Bro [ Paxson, 1998 ] and NFR [ Network Flight Recorder Inc. 1997 ] filter network tra#c streams into a series of events, and execute scripts, e.g. Bro policy scripts and NFR s N Codes, that contain site specific event handlers, i.e. intrusion detection and handling rules. The system administration personnel at each installation site must then assume the roles ....

....are produced o# line. E#ective intrusion detection should be in real time to minimize security compromises. We therefore need to study how our models preform in a real time environment. We are working on translating RIPPER rules into real time detection modules in NFR (Network Flight Recorder) Network Flight Recorder Inc. 1997 ] a system that includes a packet capturing engine and N code programming support for specifying packet filtering logic. NFR o#ers a fairly simple framework for network monitoring. It sni#s packets from the network, reassembles them, and then passes them to filter functions for further ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....costs. For example, level 1 features may cost 1 or 5, level 2 features may cost 10, and level 3 features may cost 100. These estimations have been verified empirically using a prototype system for evaluating our ID models in realtime that has been built in coordination with Network Flight Recorder [18]. 3 Cost Models A cost model formulates the total expected cost of intrusion detection. It considers the trade off among all relevant cost factors and provides the basis for making appropriate cost sensitive detection decisions. We first examine the cost trade off associated with each possible ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....are produced o# line. E#ective intrusion detection should be in real time to minimize security compromises. We therefore need to study how our models perform in a real time environment. We are working on translating RIPPER rules into real time detection modules in NFR (Network Flight Recorder) [NFR], a system that includes a packet capturing engine and N code programming support for specifying packet filtering logic. In our first implementation, we essentially tried to follow the o# line analysis steps in a real time environment. A connection is not inspected (classified using the rules) ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....costs. For example, level 1 features may cost 1 or 5, level 2 features may cost 10, and level 3 features may cost 100. These estimations have been verified empirically using a prototype system for evaluating our ID models in realtime that has been built in coordination with Network Flight Recorder [18]. 3 Cost Models A cost model formulates the total expected cost of intrusion detection. It considers the trade off among all relevant cost factors and provides the basis for making appropriate cost sensitive detection decisions. We first examine the cost trade off associated with each possible ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....and slow [Allen et al. 2000] Some of the recent research and commercial IDSs have started to provide built in mechanisms for customization and extension. For example, both Bro [Paxson 1998] A Framework for Constructing Features and Models for Intrusion Detection Systems Delta 3 and NFR [Network Flight Recorder Inc. 1997] filter network traffic streams into a series of events, and execute scripts, e.g. Bro policy scripts and NFR s N Codes, that contain site specific event handlers, i.e. intrusion detection and handling rules. The system administration personnel at each installation site must now assume the roles ....

....and implemented an algorithm for finding the necessary conditions for intrusions, and are implementing the ruleset filtering algorithm in NFR. 7. RELATED WORK Network intrusion detection has been an on going research area [Mukherjee et al. 1994] More recent systems, e.g. Bro [Paxson 1998] NFR [Network Flight Recorder Inc. 1997], and EMERALD [Porras and Neumann 1997] all made extensibility their primary design goals. Both Bro and NFR provide high level scripting languages for codifying the site specific intrusion detection rules, which are executed in run time as event handlers by the packet filtering and re assembly ....

Network Flight Recorder Inc. 1997. Network flight recorder. http://www.nfr.com.

....is not an important goal, but rather that cost factors need to be included in the process of developing and evaluating IDSs. We are also developing automatic translation systems to convert our models, which are learned offline, into modules of programmable real time IDSs (e.g. Bro [14] and NFR [12]) Although cost sensitive learning algorithms already produce models with low computational costs, they can be improved. For example, each intrusion can have low cost necessary conditions associated with it. Checking these necessary conditions and eliminating the need for checking a large portion ....

....should be in real time to minimize security compromises. We therefore need to study how our models perform in a real time environment. 4. 1 Automatic Conversion to Real time Modules We have been working on translating RIPPER rules into real time detection modules in Network Flight Recorder(NFR) [12], a system that includes a packet capturing engine and N code programming support for specifying packet filtering logic. NFR offers a fairly simple framework for network monitoring. It sniffs packets on the network, reassembles them, and then passes them to filter functions for further ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....at least appear, according to their product literature, to do the same things we do not have direct experience with any of these products. A somewhat different sort of product, the Network Flight Recorder, is described in [RLSSLW97] though it is now increasingly used for intrusion detection [Ne99]. 1 However, the link is an FDDI ring, so to monitor it requires a system that can capture traffic at speeds of up to 100 Mbps. No packet filter drops If an application using a packet filter cannot consume packets as quickly as they arrive on the monitored link, then the filter will buffer the ....

Network Flight Recorder, Inc., Network Flight Recorder, http://www.nfr.com, 1999.

....IDSs with each other and with the modeling engine, and for facilitating authenticated and secured communications between CIDF components. 4. 2 Implementation of an Experimental System We implemented an experimental system, based on CIDF, where MADAM ID is the modeling engine, and Bro [14] and NFR [13] are the two real time IDSs. We also implemented a system that acts as both a matchmaker and a CA. We described our experiences here. The Modeling Engine As shown in Figure 1, MADAM ID normally starts the model building process from raw audit data, but can also directly use the processed ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....are produced off line. Effective intrusion detection should be in real time to minimize security compromises. We therefore need to study how our models preform in a real time environment. We are working on translating RIPPER rules into real time detection modules in NFR (Network Flight Recorder) [NFR], a system that includes a packet capturing engine and N code programming support for specifying packet filtering logic. In our first implementation, we essentially tried to follow the off line analysis steps in a realtime environment. A connection is not inspected (classified using the rules) ....

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

....limited extensibility and adaptability. Many IDSs only handle one particular audit data source, and their updates are expensive and slow. Some of the recent research and commercial IDSs have started to provide built in mechanisms for customization and extension. For example, both Bro [19] and NFR [18] filter network traffic stream into a series of events, and execute scripts (e.g. Bro policy scripts and NRR s N Codes) that contain site specific event handlers, i.e. intrusion detection and handling rules. The system administration personnel at each installation site must now assume the roles ....

....(0.29, 1.00) 0.00, 0.00) 0.02 0.00 0.00 0.61 manager2 (0.50, 1.00) 0.00, 0.00) 1.00, 1.00) 0.00, 0.00) 0.00 0.00 0.00 0. 00 Table 8: Similarity with Four Groups Profiles 5 Related Work Network intrusion detection has been an on going research area [17] More recent systems, e.g. Bro [19] NFR [18], and EMERALD [20] all made extensibility their primary design goals. Our research focuses on automatic methods for constructing intrusion detection models. The meta learning mechanism is designed to automate the extention process of IDSs. We share the same views discussed in [21] that an IDS ....

Inc. Network Flight Recorder. Network flight recorder. http://www.nfr.com, 1997.

....constructed by manual encoding of expert security knowledge, changes to IDSs are expensive and require many hours of programming and debugging. We describe a data mining framework for adaptively building Intrusion Detection (ID) models specifically for the use of in Network Flight Recorder (NFR) [10]. The central idea is to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules can then be used for ....

....of NFR s key features is that it does not interfere with network activity, which is a necessary design criteria to obtain accurate data for analysis. NFR also has a real time alerting capability and a storage subsystem that allows data to be stored, rotated, and archived to other external devices [10]. However, this does not eliminate the need experts to first analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns in N code for misuse detection. Because of the manual and ad hoc nature of the development process, current IDSs ....

[Article contains additional citation context not shown here]

Inc. Network Flight Recorder. Network flight recorder. http://www.nfr.com, 1997.

....(a DMZ ) we can economically monitor our greatest potential 1 Or at least appear, according to their product literature, to do the same things we do not have direct experience with any of these products. A somewhat different sort of product, the Network Flight Recorder, is described in [RLSSLW97, Ne97]. source of attacks by passively watching the DMZ link. However, the link is an FDDI ring, so to monitor it requires a system that can capture traffic at speeds of up to 100 Mbps. In addition, the volume of traffic over the link is fairly hefty, about 20 GB day. No packet filter drops If an ....

Network Flight Recorder, Inc., Network Flight Recorder, http://www.nfr.com, 1997.

No context found.

Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC