Porras, P., and A. Valdes, "Live Traffic Analysis of TCP/IP Gateways", Networks and Distributed Systems Security Symposium, 1998.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....shows that most systems are rule based (similar to a firewall) requiring that the user or network administrator specify what type of traffic is allowed. For example, Bro (Paxson 1998) requires that the operator use a specialized language to describe allowable network packets. EMERALD (Newmann and Porras 1998, Porras and Valdes 1998) has a component which collects network statistics from (presumably) attack free traffic, automating the model building somewhat, but it still requires the user to specify which statistics to collect. ADAM (Barbar, Wu, and Jajodia) is fully automated in this respect, but ....

....systems are rule based (similar to a firewall) requiring that the user or network administrator specify what type of traffic is allowed. For example, Bro (Paxson 1998) requires that the operator use a specialized language to describe allowable network packets. EMERALD (Newmann and Porras 1998, Porras and Valdes 1998) has a component which collects network statistics from (presumably) attack free traffic, automating the model building somewhat, but it still requires the user to specify which statistics to collect. ADAM (Barbar, Wu, and Jajodia) is fully automated in this respect, but monitors only IP ....

[Article contains additional citation context not shown here]

Porras, P., and A. Valdes, "Live Traffic Analysis of TCP/IP Gateways", Networks and Distributed Systems Security Symposium, 1998.

....neural networks, statistical modeling, or data mining algorithms [14,17,18] Such systems could provide the basic elements of intrusion tolerant architectures. The key issues of scalability and timely detection and reporting of anomalies remain to be solved, although recent progress has been made [30]. 5 Conclusion ....

P. Porras and A. Valdes. Live Traffic Analysis of TCP/IP Gateways. In Proceedigns of the 1998 ISOC Symposium on Network and Distributed System Security (NDSS'98), San Diego, CA, March 1998.

....attacks by analysing and monitoring network traffic 12 . Some good overviews of ID systems are given in [Mukherjee, et al. 1994] This section briefly describes existing network ID systems, including NADIR [Hochberg, et al. 1993] DIDS [Snapp, et al. 1991] EMERALD [Porras Neumann, 1997, Porras Valdes, 1998] AAFID [Crosbie Spafford, 1994, Crosbie Spafford, 1995a, Crosbie Spafford, 1995b, Balasubramaniyan, et al. 1998] NID [Heberlein, 1998] NSM [Heberlein, et al. 1990, Heberlein, et al. 1991, Mukherjee, et al. 1994] GrIDS [Staniford Chen, et al. 1996] NetSTAT [Vigna Kemmerer, 1998] ....

Porras, P. & Valdes, A. (1998). Live traffic analysis of TCP/IP gateways. In Networks and Distributed Systems Security Symposium.

.... when something occurs that causes the system to incorrectly identify an intrusion when none has occurred (a false positive output) or when something occurs that causes the IDS to incorrectly fail to identify an intrusion when one has in fact occurred (a false negative ) Some researchers[5] discuss IDS failures in terms of deficiencies in accuracy and completeness , where accuracy reflects the number of false positives and completeness reflects the number of false negatives. Other attacks might seek to disable the entire system, preventing it from functioning effectively at ....

P. A. Porras and A. Valdes, "Live Traffic Analysis of TCP/IP Gateways," To appear in Internet Society's Networks and Distributed Systems Security Symposium, March 1998.

....systems. The authors state that intrusion detection in JiNao is operated using three different paradigms: misuse based detection, anomaly based detection, and protocol based (misuse) detection. 21 A. 19 EMERALD Event monitoring enabling responses to anomalous live disturbances EMERALD [PN97, PV98] is intended as a framework for scalable, distributed, inter operable computer and network intrusion detection. The authors begin by describing a situation in which large, organic computing and network resources provide critical and costly service to their operators, yet offer little in the way ....

Phillip A Porras and Alfonso Valdes. Live traffic analysis of TCP/IP gateways. In Proceedings of the 1998 ISOC Symposium on Network and Distributed Systems Security, San Diego, California, 11--13 March 1998.

....to network intrusion detection, we view the normal activities of monitored networks as self and their abnormal activities as non self. Many sophisticated network intrusions such as sweeps, co ordinated attacks and Internet worms are detected by monitoring the anomalies of network traffic patterns [9]. Most network based IDS s monitor network packets and their identified anomalies show critical signatures of these network intrusions [6] 11] Thus, the artificial immune model is designed for distinguishing normal network activities from abnormal network activities and expected to detect ....

....the potential genes of detectors and diverse genetic mechanisms generate new detectors. The potential genes are the selected fields of profiles to describe anomalous network traffic patterns. They are selected after understanding the detailed mechanisms of network protocol and their security holes [9]. The initial genes might be set by the values of these fields that are observed when a previously known intrusion is simulated. They can be described by the number of packets, bytes, specific errors, etc of typical network services for a specific short period or one connection time [6] 9] If a ....

[Article contains additional citation context not shown here]

Porras, P. A.; Valdes, A., 1998, "Live Traffic Analysis of TCP/IP Gateways", Proceeding of ISOC Symposium of Network and Distributed System security. Available at http://www2.csl.sri.com/emerald/downloads.html

....Our work also looks at the application of artificial intelligence to the problem of detecting abuses of privileged programs. The SRI EMERALD project addresses the problems of network intrusions by using statistical anomaly detection and signature analysis techniques on TCP IP data streams [Porras98] EMERALD s design is similar to DIDS s in that network surveillance monitors observe local area network traffic and submit analysis reports to an enterprise monitor, which correlates the reports. The EMERALD project seems to focus on intrusions that can be recognized by viewing network traffic. ....

Porras, Phillip A. and Alfonso Valdes. Live Traffic Analysis of TCP/IP Gateways. Proceedings, Networks and Distributed Systems Security Symposium, March 1998.

....et. al [5] in the area of identifying attacks against privileged programs. A portion of our work derives from this idea of detecting intrusions based on system call traces of privileged programs [7] The SRI EMERALD project addresses the problems of network intrusions via TCP IP data streams [10]. EMERALD s design is similar to DIDS s in that network surveillance monitors observe local area network traffic and submit analysis reports to an enterprise monitor, which correlates the reports. Like DIDS, EMERALD appears to concentrate the intelligence in a central system and does not ....

Phillip A. Porras and Alfonso Valdes, "Live Traffic Analysis of TCP/IP Gateways," in Networks and Distributed Systems Security Symposium, March 1998.

....dataset. Since tcpdump output is not intended specifically for security purposes, we had to go through multiple iterations of data pre processing to extract meaningful features and measures. We studied TCP IP and its security related problems, for example [Ste84, Pax97, ABH 96, Pax98, Bel89, PV98] for guidelines on the protocols and the important features that characterize a connection. 2.2.2 Data Pre processing We developed a script to scan each tcpdump data file and extract the connection level information about the network traffic. For each TCP connection, the script processes ....

Phillip A. Porras and Alfonso Valdes. Live traffic analysis of tcp/ip gateways. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, March 1998.

....code module and a resource object, which it instantiates to provide dynamically deployable and customizable surveillance. A detailed discussion of the ANCORS intrusion detection module s abilities to detect misuse and other exceptional activities on TCP IP gateway machines can be found in [5]. 5 Conclusion As the dynamic deployment of networking services becomes standard technology to support user applications, network operators will require an efficient and flexible infrastructure to assist them in network design, configuration, and monitoring. The quality of future network ....

P.A. Porras and A.Valdes. Live traffic analysis of tcp/ip gateways. To appear in Proceedings of the Network and Distributed System Security Symposium, San Diego, March, 1998.

....code module and a resource object, which it instantiates to provide dynamically deployable and customizable surveillance. A detailed discussion of the ANCORS intrusion detection module s abilities to detect misuse and other exceptional activities on TCP IP Gateway machines can be found in [9]. 5 Conclusion As the dynamic deployment of networking services becomes standard technology to support user applications, network operators will require an efficient and flexible infrastructure to assist them in network design, configuration, and monitoring. The quality of future network ....

P.A. Porras and A.Valdes. Live traffic analysis of tcp/ip gateways. To appear in Proceedings of the Network and Distributed System Security Symposium, San Diego, March, 1998.

....in the ANCORS architecture. A variety of legacy SNMP or CMIP based agents like RMON may be directly integrated into the ANCORS framework. In addition, specialized network monitoring services may be dynamically deployed to perform user defined targeted analyses, such as those discussed in [17]. The use of active networking to dispatch user definable monitoring capabilities gives ANCORS two major advantages: 1) it permits selective monitoring of a particular phenomena, such as new network requirements and new usage patterns that emerge over time, and (2) it improves monitoring ....

P.A. Porras and A.Valdes. Live traffic analysis of TCP/IP gateways. Proceedings of the Network and Distributed System Security Symposium, San Diego, March 1998.

....applicability, and future evolvability. It also considers the importance of correlation among distributed and hierarchical instances of EMERALD, and needs for additional detection and analysis components. 1. Introduction EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) [6, 8, 9] is an environment for anomaly and misuse detection and subsequent analysis of the behavior of systems and networks. EMERALD is being developed under DARPA ITO Contract number F30602 96 C 0294 and applied under DARPA ISO Contract number F30602 98 C 0059. EMERALD has farsighted goals for real time ....

.... The statistical subsystem tracks subject activity via one of four types of statistical variables called measures: categorical (e.g. discrete types) continuous (e.g. numerical quantities) traffic intensity (e.g. volume over time) and event distribution (e.g. a meta measure of other measures) [9]. EMERALD s signature analysis subsystem employs a variant of the P BEST (Production Based Expert System Tool) expert system [6] that allows administrators to instantiate a rule set customized to detect known problem activity occurring on the analysis target. Results from both the statistical ....

[Article contains additional citation context not shown here]

P.A. Porras and A. Valdes. Live traffic analysis of TCP/IP gateways. In Proceedings of the Symposium on Network and Distributed System Security. Internet Society, March 1998.

No context found.

Porras, Phillip A. and Alfonso Valdes. Live Traffic Analysis of TCP/IP Gateways. Proceedings, Networks and Distributed Systems Security Symposium, March 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC