NADIR: An Automated System for Detecting Network Intrusions and Misuse*
Author
Judith Hochberg,Kathleen Jackson,Cathy Stallings,J. F. McClary,David DuBois,Josephine Ford
Abstract
This paper describes a misuse detection system for Los Alamos National Laboratory's
Integrated Computing Network (ICN). This automated expert system, the Network
Anomaly Detection and Intrusion Reporter (NADIR), streamlines and supplements the
manual audit record review traditionally performed by security auditors. NADIR
compares network activity, as summarized in weekly profiles of individual users and
the ICN as a whole, against expert rules that define security policy and improper
or suspicious behavior. NADIR reports suspicious behavior to security auditors
and provides tools to aid in follow-up investigations. This paper describes analysis
by NADIR of two types of ICN activity: user authentication and access control, and
mass file storage. It highlights system design issues of data handling, exploiting
exsisting auditing systems, and performing audit analysis at the network level.
Address
New York, NY 10010
Institution
Elsevier Science Publishers Ltd
Publication Date
0000-00-00
Keywords
Computer security, intrusion detection, misuse detection, anomaly detection, expert systems
Location
A hard-copy of this is in the Papers Cabinet