Abstract
This paper summarizes the EMERALD (Event Monioring Enabling Responses to Anomalous
Live Disturbances) environment, a distributed scalable tool suite for tracking
malicious activity through and across large networks. EMERALD introduces a highly
distributed, building-block approach to network surveillance, attack isolation,
and automated response. It combines models from research in distributed high-volume
event-correlation methodologies with over a decade worth of intrusion-detection
research and engineering experience. The approach is novel in its use of highly
distributed, independently tunable, surveillance and response monitors that are
deployable polymorphically at various abstract layers in a large network. These
monitors demonstrate a streamlined intrusion-detection design that combines
signature-analysis with statistical profiling to provide localized real-time
protection of the most widely used network services on the Internet. Equally
important, EMERALD introduces a recursive framework for coordinating the
dissemination of analyses from the distributed monitors to provide a global
detection and response capability to counter attacks occurring across and entire
network enterprise. Further, EMERALD introduces a versatile application programmers'
interface that enhances its ability to integrate with the target hosts and provides
a high degree of interoperability with third-party tool suites.
Keywords
intrusion detection, anomaly detection, misuse detection, network security,,coordinated attacks, information warfare, system survivability