by Phillip A. Porras, Peter G. Neumann
http://www2.csl.sri.com/emerald/Emerald-NISS97.ps.gz
Add To MetaCart
Abstract:
vironment is a distributed scalable tool suite for track-ing malicious activity through and across large networks. EMERALD introduces a highly distributed, buildingblock approach to network surveillance, attack isolation, and automated response. It combines models from research in distributed high-volume event-correlation methodologies with over a decade of intrusion detection research and engineering experience. The approach is novel in its use of highly distributed, independently tunable, surveillance and response monitors that are deployable polymorphically at various abstract layers in a large network. These monitors contribute to a streamlined event-analysis system that combines signature analysis with statistical profiling to provide localized real-time protection of the most widely used network services on the Internet. Equally important, EMERALD introduces a recursive framework for coordinating the dissemination of analyses from the distributed monitors to provide a global detection and response capability that can counter attacks occurring across an entire network enterprise. Further, EMERALD introduces a versatile application programmers ' interface that enhances its ability to integrate with heterogeneous target hosts and provides a high degree of interoperability with third-party tool suites.
Citations
|
189
|
State transition analysis: A rule-based intrusion detection approach
– Ilgun, Kemmerer, et al.
- 1995
|
|
110
|
Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach
– Ko, Ruschitzka, et al.
- 1997
|
|
100
|
ªThe NIDES Statistical Component Description of Justification,º
– Javitz, Valdes
- 1994
|
|
67
|
GrIDS – A Graph Based Intrusion Detection System for Large Networks
– Staniford-Chen, Cheung, et al.
- 1996
|
|
52
|
A coding approach to event correlation
– Kliger, Yemini, et al.
- 1997
|
|
39
|
Computer-Related Risks
– Neumann
- 1994
|
|
34
|
Monitoring distributed systems
– Mansouri-Samani, Sloman
- 1993
|
|
31
|
Active defense of a computer system using autonomous agents
– Crosbie, Spafford
- 1995
|
|
31
|
Alarm Correlation
– Jakobson, Weissman
- 1993
|
|
27
|
With microscope and tweezers: The Worm from MIT’s perspective
– Rochlis, Eichin
- 1989
|
|
20
|
Decentralizing control and intelligence in network management
– Meyer, Erlinger, et al.
- 1995
|
|
19
|
Next-generation intrusion-detection expert system (NIDES
– Anderson, Frivold, et al.
- 1995
|
|
14
|
A method to detect intrusive activity in a networked environment
– Heberlein, Mukherjee, et al.
- 1991
|
|
12
|
Safeguard final report: Detecting unusual program behavior using the NIDES statistical component
– Anderson, Lunt, et al.
- 1993
|
|
7
|
Analytical techniques development for a statistical intrusion-detection system (SIDS) based on accounting records
– Javitz, Valdes, et al.
- 1986
|
|
7
|
Modeling Correlated Alarms in Network Management Systems
– Ricciulli, Shacham
- 1997
|
|
4
|
Requirements and model for IDES a real-time intrusion-detection expert system
– Denning, Neumann
- 1985
|
|
4
|
Vulnerabilities of network control protocols
– Rosen
- 1981
|
|
3
|
An architecture for a distributed intrusion detection system
– Brentano, Snapp, et al.
- 1991
|
|
2
|
Conceptual design and planning for EMERALD: event monitoring enabling responses to anomalous live disturbances
– Porras, Neumann
- 1997
|
|
2
|
The Internet Worm: crisis and aftermath
– Spafiord
- 1989
|
|
1
|
Computer security tec}mology planning study
– Anderson
- 1972
|
|
1
|
Industrialespionagetoday and information wars of tomorrow
– Joyal
- 1996
|
