Abstract not found

This paper presents a taxonomy of intrusion detection systems that is then used to survey and classify a number of research prototypes. The taxonomy consists of a classification first of the detection principle, and second of certain operational aspects of the intrusion detection system as such. The systems are also grouped according to the increasing difficulty of the problem they attempt to address. These classifications are used predictively, pointing towards a number of areas of future research in the field of intrusion detection. 1 Introduction There is currently a need for an up-to-date, thorough taxonomy and survey of the field of intrusion detection. This paper presents such a taxonomy, together with a survey of the important research intrusion detection systems to date and a classification of these systems according to the taxonomy. It should be noted that the main focus of this survey is intrusion detection systems, in other words major research efforts that have resul...

Abstract. This paper describes an aggregation and correlation algorithm used in the design and implementation of an intrusion-detection console built on top of the Tivoli Enterprise Console (TEC). The aggregation and correlation algorithm aims at acquiring intrusion-detection alerts and relating them together to expose a more condensed view of the security issues raised by intrusion-detection systems.

This dissertation explores an immunological model of distributed detection, called negative detection, and studies its performance in the domain of intrusion detection on computer networks. The goal of the detection system is to distinguish between illegitimate behaviour (nonself ), and legitimate behaviour (self ). The detection system consists of sets of negative detectors that detect instances of nonself; these detectors are distributed across multiple locations. The negative detection model was developed previously; this research extends that previous work in several ways. Firstly, analyses are derived for the negative detection model. In particular, a framework for explicitly incorporating distribution is developed, and is used to demonstrate that negative detection is both scalable and robust. Furthermore, it is shown that any scalable distributed detection system that requires communication (memory sharing) is always less robust than a system that does not require communication...

We hypothesize that a form of kernel-resident access-control-based integrity protection can gain widespread acceptance in Commercial Off-The-Shelf (COTS) environments provided that it couples some useful protection with a high degree of compatibility with existing software, configurations, and practices. To test this hypothesis, we have developed a highly-compatible free open-source prototype called LOMAC, and released it on the Internet. LOMAC is a dynamically loadable extension for COTS Linux kernels that provides integrity protection based on Low Water-Mark access control. We present a classification of existing access control models with regard to compatibility, concluding that models similar to Low Water-Mark are especially wellsuited to high-compatibility solutions. We also describe our practical strategies for dealing with the pathological cases in the Low Water-Mark model's behavior, which include a small extension of the model, and an unusual application of its concepts.

This report presents a prototype architecture for an active defense mechanism for computer systems. The intrusion detection problem is introduced and some of the key aspects of any solution are explained. Previous attempts to use similar techniques are discussed, and their shortcomings are explained. A new architecture is proposed which uses Genetic Programming to evolve programs to detect anomalous behaviour in a system. This architecture is developed and evaluated. A sample genetic program is used to discuss some of the design aspects of the agents. Cooperative monitoring of NFS requests shows how the approach can be generalised. The discussion details some issues to be addressed and future research directions.

There is currently need for an up-to-date and thorough survey of the research in the eld of computer and network intrusion detection. This paper presents such a survey, with a taxonomy of intrusion detection system features, and a classi- cation of the surveyed systems according to the taxonomy. The conclusion is reached that current research interest should lie in the study of the e ectiveness of intrusion detection and how to handle attacks against the intrusion detection system itself.

This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response.

It has long been known that security is easiest to achieve when it is designed in from the start. Unfortunately, it has also become evident that systems built with security as a priority are rarely selected for wide spread deployment, because most consumers choose features, convenience, and performance over security. Thus security officers are often denied the option of choosing a truly secure solution, and instead must choose among a variety of post hoc security adaptations. We classify security enhancing methods, and compare and contrast these methods in terms of their effectiveness vs. cost of deployment. Our analysis provides practitioners with a guide for when to develop and deploy various kinds of post hoc security adaptations. 1

Abstract. Application-level firewalls block traffic based on the process that is sending or receiving the network flow. They help detect bots, worms, and backdoors that send or receive malicious packets without the knowledge of users. Recent attacks show that these firewalls can be disabled by knowledgeable attackers. To counter this threat, we develop VMwall, a fine-grained tamper-resistant process-oriented firewall. VMwall’s design blends the process knowledge of application-level firewalls with the isolation of traditional stand-alone firewalls. VMwall uses the Xen hypervisor to provide protection from malware, and it correlates TCP or UDP traffic with process information using virtual machine introspection. Experiments show that VMwall successfully blocks numerous real attacks—bots, worms, and backdoors—against a Linux system while allowing all legitimate network flows. VMwall is performant, imposing only a 0–1 millisecond delay on TCP connection establishment, less than a millisecond delay on UDP connections, and a 1–7 % slowdown on network-bound applications. Our attack analysis argues that with the use of appropriate external protection of guest kernels, VMwall’s introspection remains robust and helps identify malicious traffic. Key words: Firewall, virtual machine introspection, attack prevention 1