Intrusion Detection Systems |
Original list compiled by Mark Crosbie and Katherine Price, COAST Laboaratory, Purdue University
Additions from a list and bibliography compiled by Michael Sobirey, Brandenburg University of Technology at Cottbus, Germany
Updated by David A. Curry, IBM Emergency Response Service
The following references provide good overviews or surveys of Intrusion Detection Systems that have been developed:
References containing more detailed information are listed after the system summary for each of the Intrusion Detection Systems described below.
Title: | ADS (Attack Detection System) |
Authors: | I. Kantzavelou, A. Patel; University College, Dublin, Ireland |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | AID (Adaptive Intrusion Detection system) |
Authors: | Michael Sobirey, Birk Richter; Brandenburg University of Technology at Cottbus, Germany |
Attributes: | multihost based, misuse detection |
URL: | http://www-rnks.informatik.tu-cottbus.de/~sobirey/aid.e.html |
Availability: |
AID (Adaptive Intrusion Detection system) is designed for network audit based monitoring of local area networks and used for investigating network and privacy oriented auditing. The research project was funded by the Brandenburg Department of Science, Research and Culture from 1994 to Spring 1996.
AID has a client-server architecture consisting of a central monitoring station and several agents (servers) on the monitored hosts. The central station hosts a manager (client) and an expert system. The agents take the audit data that were collected by the local audit functions and convert them into an operating system independent data format. By these means a monitoring of a heterogeneous UNIX environment is supported. Then the audit data are transferred to the central monitoring station, buffered in a cache and analysed by an RTworks based real-time expert system. The manager provides functions for the security administration of the monitored hosts. It controls their audit functions, requests new audit data by controlled polling and returns the decisions of the expert system to the agents. Secure RPC is used for the communication between the manager and the agents. The expert system uses a knowledge base with state oriented attack signatures, which are modelled by deterministic finite state machines and implemented as rule sequences. Relevant monitoring capabilities can be accessed by the security officer via a graphical user interface. In addition, the expert system archives data on finished and cancelled attacks, involved users and creates security reports.
AID has been successfully tested (12/95) in a local area network environment consisting of Sun SPARCstations running with Solaris 2.x and TCP/IP. Meanwhile 100 rules are implemented and the knowledge base is capable to detect 10 attack scenarios. In the described configuration and under the assumption of normal system load on the monitored hosts (maximal two working users, no patching in progress), the expert system analyses more than 2,5 MBytes per minute. The tests have shown that the prototype can monitor up to 8 hosts.
References:
Title: | AIMS (Automated Intrusion Monitoring System) |
Authors: | U.S. Army |
Attributes: | |
URL: | |
Availability: |
The Automated Intrusion Monitoring System (AIMS) has been in development since June 1995 for the US Army and is intended to provide local and "theater-level" monitoring of computer attacks. The system is currently installed at the Army's 5th Signal Command in Worms, Germany and will be used to monitor Army computers scattered throughout Europe.
References:
Title: | ALVA (Audit Log Viewer and Analyzer tool) |
Authors: | Abha Moitra; General Electric |
Attributes: | host based, limited anomaly detection |
URL: | |
Availability: |
ALVA is a real-time tool for detecting potential security violations in UNIX audit logs. The system gains some level of platform independence by analyzing command logs that are precomputed from the system audit logs. A command log is a record of the user initiated commands and is reconstructed from the system call events recorded in the audit log. User's command logs would be similar across UNIX platforms, and so processing of the logs would be platform independent across UNIX workstations. A simple profile based on command, success/failure, frequency of occurence, and the domain of the target files is used to define a baseline of normal behavior for each user. A single penalty value is kept for each user, and when the user crosses a predefined threshold, ALVA reacts by contacting the security administrator and increasing the auditing level for the user. ALVA was developed to run on a C2 security level SUN environment.
References:
Title: | APA (Automated Penetration Analysis tool) |
Authors: | S. Gupta, V. D. Gligor; University of Maryland at College Park |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | ASAX (Advanced Security audit trail Analysis on uniX |
Authors: | Baudouin Le Charlier, Abdelaziz Mounji, Naji Habra; University of
Namur, Belguim
Isabelle Mathieu, Siemens-Nixdorf Software S.A. |
Attributes: | multihost based, misuse detection |
URL: | http://www.info.fundp.ac.be/~amo/publications.html |
Availability: | Version 1.0 (September 1994) freely available; later versions commercially available |
ASAX is a distributed audit trail analysis system that also has incorporated configuration analysis. The audit trail analysis system consists of a central master host and one or more monitored machines. The monitored machines analyze their local audit data using a host-based version of intrusion detection system, and relevant events are selected to be sent to the central host. The selected events are converted to a Normalized Security Audit Data Format (NADF) before being transmitted to the central host for global analysis. The conversion allows for global analysis of data from heterogeneous environments. Both the local host-based and global analysis engines are rule-based systems that detect known penetration patterns. This heirarchical model lends itself to detecting components of a pattern at a local level and to deriving the aggregate pattern at the global level. In the latest version of ASAX, configuration analysis has been integrated with the intrusion detection system. By continuously monitoring the current configuration of the system, ASAX has the ability to tune the intrusion detection system to the current system state. The integrated system not only reports newly created security holes in real time, but also triggers appropriate detection rules to watch for exploits of the new holes. ASAX supports audit data from Solaris 2.x.
References:
Title: | ASIM (Automated Security Incident Measurement) |
Authors: | U.S. Air Force |
Attributes: | |
URL: | |
Availability: |
Automated Security Incident Measurement (ASIM) is designed to measure the level of unauthorized activity against its systems. Under this project, several automated tools are used to examine network activity and detect and identify unusual network events, for example, Internet addresses not normally expected to access Defense computers. These tools have been installed at only 36 of the 108 Air Force installations around the world. Selection of these installations was based on the sensitivity of the information, known system vulnerabilities, and past hacker activity. Data from the ASIM is analyzed by personnel responsible for securing the installation's network. Data is also centrally analyzed at the AFIWC in San Antonio, Texas.
ASIM has been extremely useful in detecting attacks on Air Force systems. However, as currently configured, ASIM information is only accumulated and automatically analyzed nightly. As a result, a delay occurs between the time an incident occurs and the time when ASIM provides information on the incident. ASIM is currently configured for selected operating systems and, therefore, cannot detect activity on all Air Force computer systems. USAF plans to continue refining the ASIM to broaden its use for other Air Force operating systems and enhance its ability to provide data on unauthorized activity more quickly.
References:
Title: | AudES |
Authors: | G. Tsudik and R. Summers |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | Autonomous Agents for Intrusion Detection |
Authors: | Mark Crosbie, Eugene Spafford; COAST Laboratory, Purdue University |
Attributes: | multihost based, anomaly detection |
URL: | http://www.cs.purdue.edu/coast/projects/autonomous-agents.html |
Availability: | Available to COAST sponsors |
This project addresses the problem of intrusion detection from a different angle - instead of a monolithic Intrusion Detection System (IDS) design, it proposes a distributed architecture. The design has the advantages of scalability, efficiency, fault-tolerance, and easy configurability.
In the next few months (Feb 97), the group expects to have a fully functional transceiver module, as well as a fully functional monitor with the GUI. Further, they expect to have some simple agents running on different hosts in a network. They expect to make performance measurements and modify the design if required. They expect to start work on integration with the audit subsystem provided by BSM (Solaris 2.x). They also would like to do some research on the metrics to measure as well as their inter-dependencies. Further, longer term, goals include investigation of object migration, an object oriented agent approach, dynamic configurability of agents, and an agent configuration language.
References:
Title: | CMDS (Computer Misuse Detection System) |
Authors: | Science Applications International Corporation |
Attributes: | multihost based, anomaly and misuse detection |
URL: | http://www.saic.com/it/cmds/index.html |
Availability: | Commercially available |
Computer Misuse Detection System (CMDS) software is a commercial intrusion detection system developed by Science Applications International Corporation (SAIC). CMDS is a real-time audit reduction and analysis system that detects and deters computer misuse. CMDS includes two misuse detection mechanisms: a statistical detection mechanism and a rule-based expert system. The statistical detection system compares current behavior profiles to historic (expected) behavior profiles and generates real-time warnings when the current behavior deviates beyond set thresholds. The rule-based expert system looks for activity that mirrors modeled misuse scenarios and generates real-time warnings alerting the security administrator when suspicious activity is found. CMDS is designed to detect intrusions in heterogeneous networks, and the software supports audit data from the SunOS, Solaris, and HP/UX operating systems.
References:
Title: | ComputerWatch |
Authors: | AT&T Bell Laboratories |
Attributes: | host based, limited misuse detection |
URL: | http://www.att.com/press/0293/930202.fsa.html |
Availability: | Commercially available as a companion product to AT&T System V/MLS for NCR Series 3000 computers |
The ComputerWatch Audit Trail Analysis Tool was developed by the Secure Systems Department at AT&T Bell Laboratories. The tool provides audit trail data reduction and limited intrusion-detection capability. It is designed to assist the system security officer by reducing the amount of data that he/she views without the loss of any informational content. ComputerWatch uses an expert system approach to summarize security sensitive events and applies simple detection rules to highlight anomalous behavior that may indicate system security breaches. The tool is designed for audit trails from the System V/MLS operating system but it could be extended to operate on audit trails from other systems.
References:
Title: | CSM (Cooperating Security Manager) |
Authors: | Gregory B. White, U.S. Air Force Academy
Eric A. Fisch and Udo W. Pooch, Texas A&M University |
Attributes: | multihost based, misuse detection |
URL: | http://www.cs.tamu.edu/people/efisch/csmieee.ps |
Availability: |
The Cooperating Security Manager (CSM) is an intrusion detection system designed to be used in a distributed network environment. Developed at Texas A&M University, this sytem runs on UNIX-based systems connected over any size network. The goal of the CSMs is to provide a system that can detect intrusive activity in a distributed environment without the use of a centralized director. A system with a central director coordinating all activity severely limits the size of the network. Instead of reporting significant network activity to a central director, the CSMs communicate among themselves to cooperatively detect anomoulous activity. The way this works is by having the CSMs take a proactive, instead of reactive, approach to intrusion detection.
In a reactive approach with a centralized director, the individual hosts would report occurrences of failed login attempts, for example, to the central director. In a practive approach, the host from which the intruder was attempting to make the connections would contact the systems being attacked. The key to having a practive approach work is to have all hosts (or at least the vast majority of hosts) on a network run a CSM. While this may at first appear to be somewhat idealistic, with the current interst among vendors to develop "Security on a chip", the concept of an intrusion detection system provided in hardware may not be that far off.
References:
Title: | CyberCop |
Authors: | Network General Corporation |
Attributes: | network based, misuse detection |
URL: | http://www.ngc.com/product_info/cybercop/ccdata/ccdata1.html |
Availability: | Commercially available |
Network General has licensed WheelGroup's NetRanger intrusion detection technology. They have ported the NSX ("sensor") portion of NetRanger to their Sniffer family of protocol analyzers, and modified it to report its alarms up through the Sniffer information distribution hierarchy rather than the NetRanger Director.
References:
Title: | DECinspect |
Authors: | Digital Equipment Corporation |
Attributes: | host based, misuse detection |
URL: | |
Availability: | no longer available |
Superceded by POLYCENTER Security Intrusion Detector.
References:
Title: | DIDS (Distributed Intrustion Detection System) |
Authors: | University of California, Davis |
Attributes: | multihost based, anomaly and misuse detection |
URL: | http://olympus.cs.ucdavis.edu/papers/sbd91.abs |
Availability: | Restricted to U.S. Air Force? |
The first intrusion detection system that aggregates audit reports from a collection of hosts on a single network. Unique to DIDS is its ability to track a user as he establishes connections accros the network, some perhaps under different account names.
DIDS extends the network intrusion-detection concept from the local area network environment to arbitrarily wider areas, with the network topology being arbitrary as well. The generalized distributed environment is heterogeneous, i.e. the network nodes can be hosts or servers from different vendors, or some of them could be LAN managers. The architecture for DIDS consists of the following components: a host manager (a monitoring process or collection of processes running in background) in each host; a LAN manager for monitoring each LAN in the system; and a central manager, placed at a single secure location, that receives reports from various host and LAN managers and processes these reports, correlates them, and detects intrusions.
References:
Title: | Discovery |
Authors: | TRW Information Services |
Attributes: | host based, anomaly detection |
URL: | |
Availability: |
Discovery searches for frequently occurring customer service access patterns to develop a "user profile" of customer inquiries. Daily customer inquiries are analyzed for error-free inquiries, which are compared with the established customer profiles. Records which fall within acceptable bounds (using a weighted algorithm) a dropped from further processing, all records outside these bounds are recorded for further processing, and a error rejection message is displayed. Utilizes a self-learning, data driven expert system for pattern recognition. Capable of reviewing 400,000 inquires per day, from a potential base of 120,000 customer access codes. The system is dynamic in its ability to detect and absorb subtle changes in user inquiry formats over time.
References:
Title: | DRISC (Detect and Recover Intrusion using System Critically) |
Authors: | Information Intelligence Science, Inc., Aurora, CO |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | EMERALD (Event Monitoring Enabling Response to Anomalous Live Disturbances) |
Authors: | SRI International |
Attributes: | network based, anomaly and misuse detections |
URL: | http://www.csl.sri.com/emerald/index.html |
Availability: | Early research stages |
This new DARPA project represents the next generation in the series of IDES/NIDES projects, specifically addressing network misuse. SRI is developing an analysis and response system that will be able to address unanticipated misuse in large network-based enterprises, within an interoperable and scalable modular system framework. This differs from much current and previous work devoted primarily to recognizing anticipated types of intrusions in local environments.
Profile-Based Algorithms. NIDES contains a statistical analysis component (NIDES-Stat) that is capable of detecting unanticipated anomaly modes (for example, in use of UNIX-based workstations), whereas rule-based systems detect only specifically identified anticipated threats. In EMERALD, SRI plans to extend NIDES-Stat to support some dynamic measure creation, correlation of profiles across heterogeneous data sources, and analysis of data from multiple layers in the network hierarchy.
Signature-Based Algorithms. NIDES contains a rule-based expert system. Other signature-based approaches are also being considered for EMERALD.
Hierarchical Analysis. In EMERALD, scalability to large networking applications will be aided by hierarchical processing of data on a distributed network. Raw data may be obtained at various points in the network (e.g., system audit data, LAN, firewall, network management data). The signature- and profile-based components will analyze data at various logical layers of abstraction, on appropriate platforms to minimize the amount of data that must be analyzed at each logical layer. Only the local analysis components will process raw data, whereas higher-layer components will examine aggregated data and analysis results fed upward from lower layers. Because of the data reduction provided by hierarchical analysis, it will be possible to model and analyze behavior over larger scopes without suffering the performance problems common to more centralized intrusion detection.
Responses to Intrusions. The EMERALD Resolver will extend the NIDES resolver to provide further analysis of anomalies and recommendations for responding to detected intrusions. Responses may involve reconfiguration of the intrusion detection system itself to collect more detailed data about the affected hosts and networks, or may encourage administrative action to shut down certain services, isolate affected assets, or activate redundant or finer-grain resources.
References:
Title: | ESSENSE |
Authors: | Digital Equipment Corporation |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | GASSATA (Genetic Algorithm for Simplified Security Audit Trail Analysis) |
Authors: | M. Le; SUPELEC, Cesson Sevigne, France |
Attributes: | |
URL: | http://www.supelec-rennes.fr/rennes/si/equipe/lme/these/these-lm.html |
Availability: |
No information yet.
References:
Title: | GrIDS (Graph-based Intrusion Detection System) |
Authors: | Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.; University of California at Davis |
Attributes: | network based, misuse detection |
URL: | http://olympus.cs.ucdavis.edu/arpa/grids/welcome.html |
Availability: | Early research stages |
GrIDS is designed to detect large-scale automated attacks on networked systems. The mechanism proposed is to build activity graphs which approximately represent the causal structure of large scale distributed activities.
The nodes of an activity graph correspond to hosts in a system, while edges in the graph correspond to network activity between those hosts. Activity in a monitored network causes graphs representing that activity to be built. These graphs are then compared against known patterns of intrusive or hostile activities, and if they look similar a warning (or perhaps a reaction) is generated.
The GrIDS project is part of UC Davis's Intrusion Detection for Large Networks project, which is funded by ARPA.
References:
Title: | Haystack |
Authors: | S. Smaha; Tracor Applied Science, Inc. |
Attributes: | host based, anomaly and misuse detections |
URL: | |
Availability: | no longer available |
Superceded by Stalker.
References:
Title: | Hyperview |
Authors: | CS Telecom, Groupe CSEE, Paris, France |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | IDA (Intrusion Detection Alert) |
Authors: | Motorola, Rolling Meadows, IL |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | IDA (Intrusion Detection and Avoidance system) |
Authors: | S. Fischer-Hübner, M. Sobirey, K. Brunnstein, K. Rannenberg; University of Hamburg, Germany |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | IDERS |
Authors: | INTRINsec, France |
Attributes: | |
URL: | |
Availability: |
No information yet.
Title: | IDES (Intrusion Detection Expert System) |
Authors: | SRI International |
Attributes: | host based, anomaly and misuse detection |
URL: | http://www.csl.sri.com/intrusion.html |
Availability: | no longer available |
IDES is a real-time intrusion-detection expert system that observes user behavior on a monitored computer system and adaptively learns what is normal for individual users, groups, remote hosts, and the overall system behavior. Observed behavior is flagged as a potential intrusion if it deviates significantly from the expected behavior or if it triggers a rule in the expert-system rule base.
Superceded by NIDES.
References:
Title: | IDIOT (Intrusion Detection In Our Time) |
Authors: | Sandeep Kumar and Eugene H. Spafford, Purdue University |
Attributes: | generic (?), misuse detection |
URL: | http://www.cs.purdue.edu/coast/coast-tools.html |
Availability: | Available to COAST sponsors |
IDIOT is Intrusion Detection In Our Time, a project to develop a new approach to efficient misuse detection methods. This work was started by Sandeep Kumar, who recently completed his Ph.D. He designed a new method of employing complex pattern matching to intrusion signatures. His design made use of a new classificatio of intrusion methods based on complexity of matching and temporal characteristics. He also designed a generic matching engine based on colored Petri nets.
References:
Title: | Inspect |
Authors: | CEFRIEL, Milano, Italy |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | INTOUCH INSA - Network Security Agent |
Authors: | Touch Technologies, Inc. |
Attributes: | network based, anomaly and misuse detection |
URL: | http://www.ttisms.com/tti/nsa_www.html |
Availability: | Commercially available |
Running on a devoted, high-speed, 64-bit RISC system, INTOUCH INSA reads all network packets, reconstructs all user activity, and scans the activity for possible computer-use policy violations. The scanning is done automatically, in the background, and without any impact on the network. The patterns to be scanned for can be customized by the Network Security Manager.
When a possible policy violation is detected by INTOUCH INSA, the Network Security Manager is alerted. Once alerted, the Network Security Manager can review the incident, and even start a real-time display of the possible violator's session.
INTOUCH INSA's inexpensive and highly effective network intrusion detection capabilities:
Title: | ISM |
Authors: | University of California at Davis |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | ISOA (Information Security Officer's Assistant) |
Authors: | Planning Research Corporation, McLean, VA |
Attributes: | multihost based, anomaly and misuse detections |
URL: | |
Availability: |
PRC's Information Security Officer's Assistant (ISOA) is a state-of-the-art system for monitoring security relevant behavior in computer networks. The ISOA serves as the central point for real-time collection and analysis of audit information. When an anomalous situation is identified, associated indicators are triggered. The ISOA automates analysis of audit trails, allowing indications and warnings of security threats to be generated in a timely manner such that threats can be countered. The ISOA reduces massive amounts of audit records into a form which is meaningful and readily comprehended. After receipt and normalization of audit records, the ISOA performs analysis in a number of dimensions, including: detection of specified events and/or situations, threshold exceptions, statistical checks, and expert system threat evaluation.
ISOA allows a single designated workstation to perform automated security monitoring, analysis, and warning. Without requiring constant interaction, the ISOA user interface alerts the security officer to a variety of security situations. The security status of the monitored network is represented in graphical and textual form. When unusual or anomalous situations are detected, they are brought to the attention of the security officer who can obtain further information, initiate more involved analysis, and optionally intervene or terminate the situation. Automated responses may be defined, including terminating user sessions, locking user accounts, forcing biometric identification, and shutting down hosts.
References:
Title: | ITA (Intruder Alert) |
Authors: | AXENT Technologies, Inc. |
Attributes: | multihost based, misuse detection |
URL: | http://www.axent.com/product/ita/ita.htm |
Availability: | Commercially available |
See OmniGuard/ITA.
Title: | Kane Security Monitor (KSM) |
Authors: | Intrusion Detection, Inc. |
Attributes: | |
URL: | http://www.intrusion.com/products/ksm.htm |
Availability: | Commercially available |
The Kane Security Monitor (KSM) is an intrusion detection system that provides sophisticated network security monitoring for Windows NT networks. Using artificial intelligence, the KSM identifies both subtle and obvious security violations caused by outside hackers or even inside authorized users. Once a violation has been identified, the System Administrator or Security Officer is alerted with the details.
Features:
The KSM provides an Enterprise-wide centralized collection facility for event logs otherwise stored separately on each machine, and the Automated review of event logs for abuse patterns such as unauthorized activities and suspicious behavior by both outside hackers and inside authorized users. The KSM analyzes NT Security event logs on an enterprise-wide basis. The KSM's agent technology vigilantly monitors NT security event logs on thousands of NT servers and workstations. By using artificial intelligence from Intrusion Detection's proprietary SHADOWARE technology, security event logs are scrutinized for abuse patterns including unauthorized activities and suspicious behavior from outside hackers and inside authorized users. This process automatically turns massive amounts of NT security event log data into concise security information.
References:
Title: | MIDAS (Multics Intrusion Detection and Alerting System) |
Authors: | National Computer Security Center, Ft. Meade, MD |
Attributes: | host based, anomaly and misuse detection |
URL: | |
Availability: |
The Multics Intrusion Detection and Alerting System (MIDAS) is an expert system which provided real-time intrusion and misuse detection for the National Computer Security Center's networked mainframe, Dockmaster, a Honeywell DPS-8/70 Multics. The basic design of MIDAS was heavily influenced by the intrusion detection research of Dorothy Denning and Peter Neumann of SRI International. They proposed that statistical analysis of computer system activities could be used to characterize normal system and user behavior. Given such statistical profiles, user or system activity that deviates beyond certain bounds should be detectable. MIDAS has been developed to employ this basic concept in its evaluation of the audited activities of more than 1200 Dockmaster users.
References:
Title: | NADIR (Network Anomaly Detection and Intrusion Reporter) |
Authors: | Los Alamos National Laboratory |
Attributes: | network based |
URL: | http://www.c3.lanl.gov/~gslentz/nadirTemplate.shtml |
Availability: |
NADIR is a rules-based expert system developed at Los Alamos to automatically detect intrusion attempts and other security anomalies on its large supercomputer network. In addition to monitoring the Cray supercomputer systems, NADIR also monitors network authentication (Kerberos) and mass file storage activity (Common File System). A client-server model is used, with Unix-based workstations running Sybase providing the server application platform. Profiles and event history are maintained for each monitored system and for individual users, and rules are applied to these profiles to detect anomalous activities.
This technology is currently being applied for fraud detection in electronic tax return filing for the IRS. It is also successfully being applied in the commercial sector to aid in credit card fraud detection.
References:
Title: | NAURS (Network Auditing Usage Reporting System) |
Authors: | SRI International |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | NetRanger |
Authors: | WheelGroup, Inc., San Antonio, TX |
Attributes: | network based, misuse detection |
URL: | http://www.wheelgroup.com/netrangr/1netrang.html |
Availability: | Commercially available |
NetRanger allows data to flow freely while analyzing it bi-directionally for misuse. When the content or context of network traffic indicates suspicious activity from either a trusted or unauthorized user, NetRanger automatically denies access to the intruder and reports details of the intrusion to a centralized management system. Simultaneously, the NetRanger field unit sends a real-time attack notification to network operations personnel over a secure virtual private network. Details regarding the attack, including type and the last link of its electronic point of origin, are immediately made available to monitoring personnel and logged into a centralized database. NetRanger also provides traffic control features and valuable network usage analysis showing how a network is being used and revealing potential network configuration errors. Real-time monitoring of the system can be either outsourced to a third party or conducted in-house using HP OpenView. Once a NetRanger is installed, users may adopt a truly "hands off" approach since configuration changes and software updates are performed remotely. Highly configurable, the NetRanger can be modified to fit a client's security policy and provide unmatched, large-scale control of a client's electronic perimeter.
The NetRanger intrusion detection engine uses signature recognition, which can be either context- or content-oriented. Context-oriented attack signatures consist of known network service vulnerabilities that can be detected by inspecting packet headers. These include SATAN, source routing, and IP spoofing attack profiles. Content-oriented signatures require the inspection of data fields within a packet to determine if an attack or policy violation has occurred at the application level. These include sendmail and Web attack profiles. Content monitoring also allows NetRanger to be customized to specific operational or business requirements by creating unique character string profiles.
NetRanger consists of one or more sensors, a secure communications channel, and a management system. The sensor is called the NSX. It is a plug-and-play device installed between a trusted and an untrusted network, and provides the automated intrusion detection and response functionality, concentrating this powerful feature at the point(s) of attack. The communications channel is based on a proprietary, fault tolerant, point-to-point protocol that connects one or more NSX sensors to the management system. Information is transmitted via an encrypted sleeve with a user-configurable set of encryption algorithm options. It also transports secure configuration and diagnostic information to a remote NSX and provides real-time alarms and incident data back to the management system. The management system is called the Director. It has a graphical user interface (GUI) for reporting NSX alarms and managing configurations. It logs all incidents, provides DBMS staging, and lets customers create historical and trend reports. Each Director can monitor and control more than 100 remote NSX sensors.
Title: | NetStalker |
Authors: | Haystack Laboratories, Inc., Austin, TX |
Attributes: | host and network based, misuse detection |
URL: | http://www.haystack.com/netstalk.htm |
Availability: | Commercially available |
NetStalker is a real-time analysis program that identifies network attacks and attempts to exploit protocol vulnerabilities. NetStalker does this by comparing information gathered from router event reports against Haystack Labs' extensive misuse signature database.
NetStalker runs continuous checks on your network. When it detects a security breach, it immediately closes the connection from the offending host and alerts the system administrator via pager, SNMP, or email. A hard copy report is created for archiving and review.
NetStalker allows you to:
Title: | NetSTAT (Network-based State Transition Analysis Tool) |
Authors: | University of California at Santa Barbara |
Attributes: | multihost based, misuse detection |
URL: | http://www.cs.ucsb.edu/~kemm/netstat.html |
Availability: |
Further development of USTAT.
References:
Title: | NICE |
Authors: | University of New Mexico |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | NID (Network Intrusion Detector) |
Authors: | Computer Security Technology Center, Lawrence Livermore National Laboratory |
Attributes: | network based, anomaly and misuse detection |
URL: | http://ciac.llnl.gov/cstc/nid/niddes.html |
Availability: | Available free of charge to DOE and DoD organizations and contractors only. |
Provides a suite of security tools that detects and analyzes network intrusion. NID provides detection and analysis of intrusion from individuals not authorized to use a particular computer and from individuals allowed to use a particular computer, but who perform either unauthorized activities or activities of suspicious nature on it.
Note that NID was formerly known as the Network Security Monitor (NSM) and was originally developed at the University of California at Davis.
References:
Title: | NIDES (Next-Generation Intrusion-Detection Expert System) |
Authors: | SRI International |
Attributes: | multihost based, anomaly and misuse detection |
URL: | http://www.csl.sri.com/nides/index.html |
Availability: | Commercially available? |
NIDES operates in real time to detect intrusions as they occur. It is a comprehensive system comprised of innovative statistical algorithms applied to system-level audit trails for the purpose anomaly detection, as well as an expert system that encodes known intrusion scenarios.
To date, NIDES has been used to monitor computer users by examining audit trail information using a custom nonparametric statistical component as well as a rule-based component. In the paradigm explored the subject considered up to now have been computer users. For the present study, the methodology is adapted to consider applications as subjects. This directly addresses the stated goal of monitoring usage to detect unauthorized use of applications or application classes on restricted systems. With recent changes in export restrictions, this goal is perhaps less urgent now than when the study was undertaken. Nonetheless, the methodology as adapted here is useful in the detection of Trojan horses and other masquerading applications.
NIDES is a continuation of the IDES project.
References:
Title: | NIDX (Network Intrusion Detection eXpert system) |
Authors: | Bell Communications Research, Inc., Piscataway, NJ |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | NSM (Network Security Monitor) |
Authors: | University of California at Davis |
Attributes: | network based, anomaly and misuse detection |
URL: | |
Availability: |
Superceded by NID.
References:
Title: | OmniGuard/ITA (OmniGuard/Intruder Alert) |
Authors: | AXENT Technologies, Inc. |
Attributes: | multihost based, misuse and anomaly detection |
URL: | http://www.axent.com/product/ita/ita.htm |
Availability: | Commercially available. |
ITA detects intruders by rule or by exception. ITA is a rules engine, it processes the inputs it receives based on rules applied to the systems it is monitoring. Some rules may be designed to look at a specific sequence of events, called "footprints." If a particular footprint is detected, ITA can be programmed to take action to prevent any damage from occurring. Other rules detect behavioral anomalies within the system. These rules filter out normal activities, leaving the exceptions to be acted upon or investigated as needed. This anomaly type detection is often referred to as norm-based detection, or "baselining."
ITA is deployed in three pieces, an interface console, a manager and an agent. The interface and manager act as a configuration engine, allowing the user to easily configure the rules. Agents are intelligent processes or daemons that run on the local systems, executing the rules as configured by the user. Agents are registered to managers to provide a secure communications path. If a number of agents are registered to a manager, these agents can be organized into multiple domains. ITA can also monitor SNMP traps from other applications, such as management frameworks, firewalls and router systems. As well, ITA for NetWare receives event information directly from the operating system for performance reasons.
ITA can either generate internal reports from the ITAView Monitoring Console or it can output to a database. Included with ITA is a relational database called ITAGraph that runs on Windows based systems. This database has utilities for importing ITA output plus several pre-built reports, charts and graphs. ITA can filter logs at the agent level, consolidate them to a central location and purge or archive them based on a pre-set schedule. Additionally, log entries are formatted in a human readable format. They can be sent to a monitoring console where they are prioritized and displayed based on their importance.
Platforms supported: Solaris 2.4, 2.5 on SPARC; AIX 3.2.5, 4.1 on RS/6000 and PowerPC; HP/UX 9.05, 10.01 on PA/RISC; SunOS 4.1.3, 4.1.4 on SPARC; OSF/1 3.0 on Alpha; Digital Unix 3.2 on Alpha; IRIX 5.3, 6.2 on MIPS; NCR 2.3, 3.0 on Intel; Motorola SVR3.2, SVR4.2 (agent only) ; Sequent DYNIX/ptx versions 4.13, 4.14 and 4.2 (agent only); Windows 3.1 (GUI only); Windows 95 (GUI only); Windows NT 3.51 and 4.0 on Intel; NetWare 4.1 (manager and agent only); NetWare 3.12 (manager and agent only).
Title: | PDAT (Protocol Data Analysis Tool) |
Authors: | Siemens AG, Munich, Germany |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | POLYCENTER Security ID (POLYCENTER Security Intrusion Detector) |
Authors: | Digital Equipment Corporation |
Attributes: | host based, misuse detection |
URL: | http://www.digital.com/info/security/id.htm |
Availability: | No longer available |
POLYCENTER Security Intrusion Detector (POLYCENTER Security ID) is a real-time security monitoring application developed by Digital Equipment Corporation. It performs knowledge-based analysis of audit data to recognize and respond to simple security-relevant events. Violations such as attempted logins, unauthorized access to files, illegal setuid programs, and unauthorized audit modifications are automatically detected and acted upon.
Most security breaches involve a series of actions. Instead of looking at each action individually, POLYCENTER Security ID looks at the whole picture. Using a case method modeled after criminal investigations, POLYCENTER Security ID assigns an agent to monitor the suspect and file evidence to the case. By analyzing each security event within the context of a case, POLYCENTER Security ID can distinguish between real threats and innocent behavior and, therefore, POLYCENTER Security ID will not kick legitimate users off the system or trigger false alarms.
POLYCENTER Security ID can be configured to take countermeasures against intruders without human intervention. Security managers can work from the Manager's Graphical User Interface or from the command line.
POLYCENTER Security ID supports monitoring a single host running OpenVMS, Digital UNIX (OSF/1), Ultrix, or SunOS. It is a component of a larger set of security management applications in the POLYCENTER family, including POLYCENTER Security Compliance Manager, POLYCENTER Security Console, and POLYCENTER Security Reporting Facility.
POLYCENTER Security Intrusion Detector was formerly known as DECinspect.
Title: | RealSecure |
Authors: | Internet Security Systems, Inc., Atlanta, GA |
Attributes: | network based, misuse detection |
URL: | http://www.iss.net/prod/rs.html |
Availability: | Commercially available |
RealSecure is a real-time attack recognition and response system for networks. RealSecure analyzes packets of information as they travel across the network without any loss of network performance. RealSecure knows how to interpret hostile attacks on the network by understanding the vulnerabilities they target. Once a vulnerability is exploited or intrusion is recognized, the administrator is alerted via email or paging. The series of events can be recorded, saved to a file, the connection can be terminated or RealSecure can trigger any other user defined response.
Current Features:
Title: | RETISS (REal-TIme expert Security System) |
Authors: | University of Milano, Italy |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | SAINT (Security Analysis INtegration Tool) |
Authors: | National Autonomous University of Mexico |
Attributes: | multihost based, misuse detection |
URL: | |
Availability: |
SAINT is a data analysis tool that can be used as a simple intrusion detection system to increase security on a UNIX system. By collecting data from many different sources into a single place, the tool allows for integrated analysis of the data for detection of problems that may otherwise go undiscovered. After SAINT homogenizes the data into a common data format, the events are analyzed to detect relationships that may indicate possible problems. The current version of SAINT produces all reports in Spanish.
References:
Title: | SecureNet PRO |
Authors: | MimeStar, Inc. |
Attributes: | |
URL: | http://www.mimestar.com/ |
Availability: | Commercially available |
SecureNet PRO combines several key technologies, including session monitoring, firewalling, hijacking, and keyword-based intrusion detection. Once set up, SecureNet PRO automatically watches everything that goes on in a network. Hacking attempts are detected and responded to in real-time, using SecureNet's advanced integrated intrusion detection system. Suspicious connections can be automatically killed or logged for later playback. Also, network administrators can be notified of all suspicious events via e-mail.
SecureNet PRO also offers advanced intrusion response, using a technique known as TCP hijacking. Hijacking allows the administrator to instantly seize the connection of any user on his local area network. The user remains completely locked out while the administrator performs actions such as damage control or evidence collection.
References:
Title: | SIDS (Statistical Intrusion Detection System) |
Authors: | SRI International |
Attributes: | host based, anomaly detection |
URL: | |
Availability: |
No information yet.
References:
Title: | Stake Out |
Authors: | Harris Computer Corporation |
Attributes: | |
URL: | http://www.stakeout.harris.com/ |
Availability: | Commercially available |
Stake Out is an intelligent agent designed to monitor TCP/IP based network for suspicious behavior. It provides the ability to monitor a network segment from a single location providing alert and logging capabilities for all systems attached.
References:
Title: | Stalker |
Authors: | Haystack Laboratories, Inc., Austin, TX |
Attributes: | multihost based, misuse detection |
URL: | http://www.haystack.com/stalk.htm |
Availability: | Commercially available |
Stalker is a commercial UNIX system security monitoring tool developed by Haystack Laboratories. Stalker identifies intruders and internal misuse by analyzing audit trail data and reporting on suspicious user and system activities. A misuse detector analyzes the audit trail data looking for events that correspond to known attack techniques or known system vulnerabilities. A querying and reporting facility reduces the volume of audit trail data to find only the audit records of interests. The collection and storage of audit trails from multiple UNIX systems is managed on a single server by an audit control and storage manager. Stalker is available for Sun, IBM, and HP UNIX systems.
Stalker was originally known as Haystack.
References:
Title: | STAT (State Transition Analysis Tool) |
Authors: | Phil Porras, University of California at Santa Barbara |
Attributes: | host based, misuse detection |
URL: | |
Availability: |
The State Transition Analysis Tool (STAT) is an advanced rule-based expert system that analyzes the audit trails of multi-user computer systems in search of impending security violations. STAT represents state transition diagrams within its rule-base and uses them to seek out those state transitions within the target system that correspond to known penetration scenarios. Unlike comparable analysis tools that pattern match sequences of audit records to the expected audit trails of known penetrations, STAT rules focus on the effects that the individual steps of a penetration have on the state of the computer system. The resulting rule-base is not only more intuitive to read and update than current penetration rule-bases, but also provides greater functionality to detect impending compromises.
Superceded by USTAT.
References:
Title: | Swatch |
Authors: | Stephen Hansen and Todd Atkins, Stanford University |
Attributes: | multihost based, limited misuse detection |
URL: | |
Availability: | Public domain |
Swatch (Simple WATCHer) is a program for UNIX system logging and management developed at the Electrical Engineering Computer Facility at Stanford University. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to a log file and alert system administrators immediately to serious system problems as they occur.
References:
Title: | TIM (Time-based Inductive Machine) |
Authors: | University of Illinois at Urbana-Champaign |
Attributes: | |
URL: | |
Availability: |
No information yet.
References:
Title: | UNICORN (Unicos Realtime NADIR) |
Authors: | Los Alamos National Laboratory |
Attributes: | |
URL: | http://www.EnGarde.com/~mcn/unicorn.html |
Availability: |
UNICORN (Unicos Realtime NADIR) is an expansion on the NADIR project. Unicorn will accept audit logs from Unicos (Cray Unix), Kerberos, and our common file system, then analyze them and attempt to detect intruders in realtime. Because Unicorn was designed for Kerberos and Unix, the design can be applied to many other network configurations.
References:
Title: | USTAT (State Transition Analysis Tool for UNIX) |
Authors: | Koral Ilgun, University of California, Santa Barbara |
Attributes: | host based, misuse detection |
URL: | http://www.cs.ucsb.edu/TRs/TRCS93-26.html |
Availability: |
USTAT is the first prototype of the STAT model, in particular for SunOS 4.1.1. USTAT makes use of the audit trails that are collected by the C2 Basic Security Module of SunOS and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records.
Jonathan Wood has ported USTAT to Solaris 2.x, and is currently investigating approaches to a distributed intrusion detection system using USTAT. This system will collect data from multiple hosts on a network and process the data as a unified audit trail. Other research directions include incorporating USTAT with other IDS which complement its capabilities (i.e. anomaly detection systems), and expanding its auditing capabilities to take advantage of the extra information gleaned from gathering audit data from networked machines.
References:
Title: | Watcher |
Authors: | Kenneth Ingham, University of New Mexico |
Attributes: | |
URL: | |
Availability: |
A configurable and extensible system monitoring tool that issues a number of user-specified commands, parses the output, checks for items of significance, and reports them to the system administrator.
Title: | WebStalker Pro |
Authors: | Haystack Laboratories, Inc., Austin, TX |
Attributes: | host based, misuse detection |
URL: | http://www.haystack.com/webstalk.htm |
Availability: | Commercially available |
WebStalker Pro is a version of Stalker that has been customized for use on World Wide Web servers. In addition to Stalker's features, WebStalker Pro checks for illegal termination of the web server, or an attempt to modify its content. In reaction, WebStalker Pro can do everything that Stalker can, and also restart the web server software.
References:
Title: | Wisdom and Sense |
Authors: | Los Alamos National Laboratory, Oak Ridge National Laboratory |
Attributes: | host based, anomaly detection |
URL: | |
Availability: |
No information yet.
References: