Intrusion detection is a significant focus of research in the security of computer systems and networks. This paper presents an analysis of the progress being made in the development of effective intrusion detection systems for computer systems and distributed computer networks. The technologies which are discussed are designed to detect instances of the access of computer systems by unauthorized individuals and the misuse of system resources by authorized system users. A review of the foundations of intrusion detection systems and the methodologies which are the focus of current development efforts are discussed. The results of an informal survey of security and network professionals is discussed to offer a real-world view of intrusion detection. Finally, a discussion of the future technologies and methodologies which promise to enhance the ablility of computer systems to detect intrusions is provided.

A new practical attack on a widely used bus encryption microprocessor, which decrypts software on-the-fly when bytes are fetched from RAM, is presented. It allows easy unauthorized access to clear memory.

Embedded sensors for intrusion detection consist of code added to the operating system and the programs of the hosts where monitoring will take place. The sensors check for specific conditions that indicate an attack is taking place, or an intrusion has occurred. Embedded sensors have advantages over other data collection techniques (usually implemented as separate processes) in terms of reduced host impact, resistance to attack, efficiency and effectiveness of detection. We describe the use of embedded sensors in general, and their application to the detection of specific network-based attacks. The sensors were implemented in the OpenBSD operating system, and our tests show a 100% success rate in the detection of the attacks for which sensors were instrumented. We discuss the sensors implemented and the results obtained, as well as current and future work in the area.

This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today’s systems endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer. Web spoofing allows an attacker to create a “shadow copy” of the entire World Wide Web. Accesses to the shadow Web are funneled through the attackers machine, allowing the attacker to monitor all of the victim’s activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim’s name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web. We have implemented a demonstration version of this attack.

A valuable tool is going relatively unnoticed by information security professionals - the conducting of risk assessment/analysis within their organizations. In Datapro’s “Computer Security Issues: 1995 Survey” between 21 to 31 of the total survey respondents conducted a risk assessment/ analysis as one of their security measures. The percentages varied slightly depending on the environment being protected - microcomputer, data network, or midrange/mainframes. Information security is too broad an issue and resources are too short supply for security professionals to be guessing where to spend the money. Risk management is the practice of defining and analyzing the threats to organizational assets and capabilities, and for assisting management in optimizing the return on investment of information security resources. This report provides a methodology for developing an information security risk management program. The necessary steps needed to develop a plan are presented and a process for the plan’s maintenance are discussed.

The Internet has become a massive commercial environment. It provides intellectual property owners with an unprecedented marketing opportunities. Unfortunately, it also presents them with unprecedented, time-critical licensing and enforcement challenges. This update looks at recent cases and legislation relating to the legal challenges presented by the Internet.

A distributed object-oriented system stresses moduality through narrow and rigidly defined interfaces to build low coupling, highly antonomous components. A security system for such systems must preserve the scalability, maintainability and extensibility of it. This paper presents a security system called Petrus, which provides strong authentication and data encyption to the Renaissance object environment. Petrus combines public-key and secret key cryptography to achieve acceptable performance. In addition, to minimize coupling, Petrus reduces functions of the central authorties and delegates authentication and data encryption to individual clients and servers. By hiding security functions in the Petrus Layers in proxies to remote objects, Petrus provides flexible mechanisms for applications that are mostly unaware of security to enforce constrains specified by their security policy, making it easy for the construction and maintenance of secure distributed systems.

An implemented system for on-line analysis of multiple distributed data streams is presented. The system is conceptually universal since it does not rely on any particular platform feature and uses format adaptors to translate data streams into its own standard format. The system is as powerful as possible (from a theoretical standpoint) but still efficient enough for on-line analysis thanks to its rule- based language (RUSSEL) which is specifically designed for efficient processing of sequential unstructured data streams. In this paper, the generic concepts are applied to security audit trail analysis. The resulting system provides powerful network security monitoring and sophisticated tools for intrusion/anomaly detection. The rule based and command languages are described as well as the distributed architecture and the implementation. Performance measurements are reported, showing the effectiveness of the approach.

After a brief survey of the problems related to audit trail analysis and of some approaches to deal with them, the paper outlines the project ASAX which aims at providing an advanced tool to support such analysis. One key feature of ASAX is its elegant architecture build on top of a universal analysis tool allowing any audit trail to be analysed after a straight format adaptation. Another key feature of the project ASAX is the language RUSSEL used to express queries on audit trails. RUSSEL is a rule-based language which is tailor-made for the analysis of sequential files in one and only one pass. The conception of RUSSEL makes a good compromise with respect to the needed efficiency on the one hand and to the suitable declarative look on the other hand. The language is illustrated by examples of rules for the detection of some representative classical security breaches.

This paper presents a framework for key escrow encryption that satisfies most law enforcement and civil liberties concerns. It provides users considerable autonomy in deciding how and with whom information will be escrowed. It relies on no specific technology solution but will accommodate all of them, whether implement- ed in hardware, software, firmware, or paper! Depending on the specific system, it may provide real-time emergency access to information when requested by authorized entities. Users, not governments, bear the costs of the scheme.

A system security engineering (SSE) methodology is used within the Secure Systems Engineering Department of AT&T Laboratories during the analysis, design, and integration of computer and network systems. This evolving methodology focuses on how threats, vulnerablilities, and attacks on these systems are identified and mitigated, and how safeguards based on engineering estimates of risk are identified and integrated.

This paper presents a simple tool to monitor and control incoming network traffic. The tool has been successfully used for shielding off systems and for detection of cracker activity. It has no impact on legal computer users, and does not require any change to exsisting system software or configuration files. The tool has been installed world-wide on numerous UNIX systems without any source code change.

The work that will be presented in this paper focuses on the use of Artificial Intelligence (AI) for certain computer security systems. We call this class of security systems “Intelligent Security Systems”. Some past works found AI helpful for such security systems as intrusion detection, virus detection, real time analysis of audit records, etc. But, because of the antagonism between security systems’ sensiblity and knowledge bases’ flexibility and friendliness, the use of AI in security cannot be effective without a real discussion between AI and security, namely, an interdisciplinary approach requiring two skills: Knowledge Engineering and security expertise.

In an age of expensive resources and technology, and the unique complexities brought about by the emerging markets, organizations share a common need and responsibility to manage those threats that impact on the operation of the business and profitablility. Inferably, when analysing threats to business in terms of a Risk Evaluation Framework, risk management and corporate security are similar in that each is concerned with the protection and conservation of corporate assets and resources. Whether it be proliferation of unfriendly acquisitions, domestic and international vulnerablility analysis and risk assessment, review of corporate security programmes and surveys, or disaster planning, disaster recovery, and continuity of operations, the need remains the same - security and managment of risks. While security has so often been an after thought, or rather a retrofit or ‘quickfix’, today’s insight of security involves sophistication, early product and business design, and a particular technical application never before realized. This article is an attempt to prove that today’s all encompassing corporate security process exsists as an essential element of the total risk management function.