This chapter provides the overview of the state of the art in intrusion detection research. Intrusion detection systems are software and/or hardware components that monitor computer systems and analyze events occurring in them for signs of intrusions. Due to widespread diversity and complexity of computer infrastructures, it is difficult to provide a completely secure computer system. Therefore, there are numerous security systems and intrusion detection systems that address different aspects of computer security. This chapter first provides taxonomy of computer intrusions, along with brief descriptions of major computer attack categories. Second, a common architecture of intrusion detection systems and their basic characteristics are presented. Third, taxonomy of intrusion detection systems based on five criteria (information source, analysis strategy, time aspects, architecture, response) is given. Finally, intrusion detection systems are classified according to each of these categories and the most representative research prototypes are briefly described.

Proactive recovery is a promising approach for building fault and intrusion tolerant systems that tolerate an arbitrary number of faults during system lifetime. This paper investigates the benefits that a virtualization-based replication infrastructure can offer for implementing proactive recovery. Our approach uses the hypervisor to initialize a new replica in parallel to normal system execution and thus minimizes the time in which a proactive reboot interferes with system operation. As a consequence, the system maintains an equivalent degree of system availability without requiring more replicas than a traditional replication system. Furthermore, having the old replica available on the same physical host as the rejuvenated replica helps to optimize state transfer. The problem of remote transfer is reduced to remote validation of the state in the frequent case when the local replica has not been corrupted. 1

Abstract- Complex software is not only difficult to secure but is also prone to exploitable software bugs. Hence, an intrusion detection system if deployed in user space is susceptible to security compromises. Thus, this ‘watcher ’ of other software processes needs to be ‘watched. ’ In this paper, we investigate a tamper-resistant solution to the classic problem of ‘Who watches the watcher?’ In our previous work, we investigated this problem in a unicore environment. In this paper, we design a real-time, lightweight, watchdog framework to monitor an intrusion detection system in a multi-core environment. It leverages the principles of graph theory to implement a cyclic monitoring topology. Since our framework monitors intrusion detection systems, the attack surface it has to deal with is considerably reduced. The proposed framework is implemented and evaluated using AMD SimNow simulator. We show that the framework incurs a negligible memory overhead of only 0.8% while sustaining strong, tamper-resistance properties.