Author
Steven R. Snapp,James Bretano,Gihan V. Dias,et al.
Abstract
The study of providing security in computer networks is a rapidly growing area
of interest because the network is the medium over which most attacks or intrusions
on computer systems are launched. One approach to solving this problem is the
"intrusion-detection" concept, whose basic premise is that not only abandoning the
existing and huge infrastructure of possibly-insecure computer and network systems
is impossible, but also replacing them by totally-secure systems may not be feasible
or cost effective. Previous work on intrusion detection systems were performed on
stand-alone hosts and on a broadcast local area network (LAN) environment. The
focus of our present research is to extend our network intrusion-detection
concept from the LAN environment to arbitrarily wider areas with the network
topology being arbitary as well. The generalized distributed environment is
heterogeneous, i.e., the network nodes can be hosts or servers from different
vendors, or some of them could be LAN managers, like our previous work, a network
security monitor (NSM), as well. The proposed architecture for this distributed
intrusion-detection system consists of the following components: a host manager
(viz. a monitoring process or collection of processes running in background) in
each host; a LAN manager for monitoring each LAN in the system; and a central
manager which receives reports from various host and LAN managers to process
these reports, correlate them, and detect intrusions.