This dissertation explores an immunological model of distributed detection, called negative detection, and studies its performance in the domain of intrusion detection on computer networks…...

This paper presents an up-to-date and thorough survey of the research in the field of computer and network intrusion detection, with a taxonomy of intrusion detection system features, and a classification of the surveyed systems according to this taxonomy….

A method for anomaly detection is introduced in which normal is defined by short-range correlations in a process system calls.  Initial experiments suggest that the definition is stable during normal behavior for standard UNIX programs.  Further, it is able to detect several common intrusions involving sendmail and lpr.  This work is part of a research program aimed at building computer security systems that incorporate the mechanisms and algorithms used by natural immune systems.

In this paper we discuss our research in developing general and systematic methods for intrusion detection.  The key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavior, and use the set of relevant system features to compute (inductively learned) classifiers that can be recognize anomalies and known intrusions.  Using experiments on the sendmail system call data and the network tcpdump data, we demonstrate that we can construct concise and accurate classifiers to detect anomalies.  We provide an overview on two general data mining algorithms that we have implemented: the association rules algorithm and the frequent episodes algorithm.  These algorithms can be used toi compute the intra- and inter- audit record paterns, which are essential in describing program or user behavior.  The discovered patterns can guide the audit data gathering process and facilitate feature selection.  To meet the challenges of both efficient learning (mining) and real-time detection, we propose an agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents.

This paper focuses on intrusion detection and countermeasures with respect to widely-used operating systems and networks.  The design and architecture of an intrusion detection system built from distributed agents is proposed to implement an intelligent system on which data mining can be performed to provide global, temporal views, of an entire networked system. A starting point for agent intelligence in our system is the research into the use of machine learning over system call traces from the privileged sendmail program on UNIX.  We use a rule learning algorithm to classify the system call traces for intrusion detection purposes and show the results.

This paper investigates the subject of intrusion detection over networks.  Existing network-based IDS’s are categorized into three groups and the overall architecture of each group is summarised and assessed.  A new methodology to this problem is then presented, which is inspired by the human immune system and based on a novel artificial immune model.  The architecture of the model is presented and its characteristics are compared with the requirements of network-based IDS\‘s.  The paper concludes that this new approach shows considerable promise for future network-based IDS\‘s.  The paper concludes that this new approach shows considerable promise for future network-based IDS\‘s,

Society\‘s increasing reliance on networked information systems too support critical infrastructures has prompted interest in making the information systems survivable, so that they can continue to perform critical functions even in the presence of vulnerabilities susceptible to malicious attacks, it is necessary to detect attacks and isolate failures resulting from attacks before they damage the system by impacting functionality, performance or security.  The key research problems in this context include: *detecting in-progess attacks before they cause damage, as opposed to detecting attacks after they have succeeded, * localizing and/or minimizing damage by isolating attacked components in real-tine, and * tracing the origin of attacks. We address the detection problem by real-time event monitoring and comparison against events known to be unacceptable.  Real-time detection differentiates our approach from previous works that focus on intrusion detection by post-attack evidence analysis.  We address the isolation and tracing problems by supporting automatic initiation of reactions.  Reactions are programs that we develop to respond to attacks.  A reaction\‘s primary goal is to isolate compromised components and prevent them from damaging other components.  A reaction\‘s secondary goal is to aid in tracing the origin of attack, e.g., by providing an illusion of success to the attackers (enticing them to the attack) while ensuring that the attack causes no damage.  Our approach to detecting attacks is based on specifying permissible process behaviors as logical assertions on sequences of system calls and conditions on the values of system call arguments.  We compile the specifications into finite state automata for efficient runtime detection for deviations from the specified (and hence permissible) behavior.  We seamlessly integrate detection and reaction by designing our specification anguage to also allow specification of reactions.

CEDMOS is the Composite Event detection and Monitoring System developed for DARPA by MCC.  CEDMOS recognizes patterns of events called complex events according to userauthorized event specifications.  CEDMOS is a general event processing technology that includes: *a core infrastructure for event detection which implements a general, efficient event processing model *a graphical programming environment for the creation and manipulation of composite events; and *agent shells for rapid development of customized agents for event gathering, composite event detection, and dissemination of composite events. This paper gives the theoretical basis for the CEDMOS event procesing model.  The model is a restriction of a more general event processing model that takes into consideration a number of practical issues.  In addition, issues that arose in the deployment of CEDMOS to some particular domains are discussed.  Unlike many other event processing technologies, CEDMOS is not tied to databases or other technologies and can be applied to many different domains.

Auctions are communication-intensive enterprises.  Most scholarly examinations of auctions, however, have come from economics and sociology.  This paper applies a communication perspective to eBay, the largest online auction, and argues that eBay has maintained safety, order, and interest in its auctions by mimicking the oral style of the auctioneer and following the rules of in-person auctions, but in a virtual space.

This paper describes the design and implementation of a secure message broadcast system (SMBS). It is a secure, multi-party chat program that ensures privacy in communication and does not rely on shared secret keys. The system was built as a study of the feasibility of building effective communication tools using zero knowledge proofs. There is a general consensus in the computer security community that traditional password based authentication mechanisms are insuficient in today’s globally connected environment. Mechanisms such as one-time-passwords are a partial solution to the problem. The issue that these protocols don’t address is the lack of mutual authentication. The Kerberos family of systems addresses the issue of mutual authentication but relies heavily on the physical security of the server and safekeeping of the password database.