| Title | Date Added | Company | |
|---|---|---|---|
 |
Applying Fast String Matching to Intrusion Detection | 2008-01-01 | University of California |
| The performance of signature-based network intrusion detection tools is dominated by the string matching of packets against many signatures. This paper studies how the popular intrusion detection system Snort can be best optimized to utilize different string matching algorithms. The paper analyzes the performance of Snort's current string matching algorithm, Boyer-Moore, and several alternate algorithms. The paper shows that no single algorithm is fastest in the context of a real Snort rule set. Instead, the paper develops a hybrid system that utilizes three different search algorithms, including one new algorithm presented in this paper. The result is a system that matches many common packets 5 times faster with an average speedup of 50%.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
Enriching Intrusion Alerts Through Multi-Host Causality | 2008-01-01 | University of Michigan |
| Current intrusion detection systems point out suspicious states or events but do not show how the suspicious state or events relate to other states or events in the system. This paper shows how to enrich an IDS alert with information about how those alerts causally lead to or result from other events in the system. By enriching IDS alerts with this type of causal information, one can leverage existing IDS alerts to learn more about the suspected attack. Backward causal graphs can be used to find which host allowed a multi-hop attack (such as a worm) to enter a local network; forward causal graphs can be used to find the other hosts that were affected by the multi-hop attack.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
Honeycomb - Creating Intrusion Detection Signatures Using Honeypots | 2008-01-01 | University of Cambridge |
| This paper describes a system for automated generation of attack signatures for network intrusion detection systems. The system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. This paper presents results of running the system on an unprotected cable modem connection for 24 hours. The system successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
A Cooperative Intrusion Detection System for Ad Hoc Networks | 2008-01-01 | Georgia Institute of Technology |
| Mobile Ad hoc NETworking (MANET) has become an exciting and important technology in recent years because of the rapid proliferation of wireless devices. MANETs are highly vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. This paper reports the progress in developing Intrusion Detection (ID) capabilities for MANET. Building on the prior work on anomaly detection, the paper investigates how to improve the anomaly detection approach to provide more details on attack types and sources. For several well-known attacks, one can apply a simple rule to identify the attack type when an anomaly is reported. In some cases, these rules can also help identify the attackers.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
MINDS - Minnesota Intrusion Detection System | 2008-01-01 | University of Minnesota |
| This paper introduces the Minnesota Intrusion Detection System (MINDS), which uses a suite of data mining techniques to automatically detect attacks against computer networks and systems. While the long-term objective of MINDS is to address all aspects of intrusion detection, this paper focuses on two specific contributions: an unsupervised anomaly detection technique that assigns a score to each network connection that reflects how anomalous the connection is, and an association pattern analysis based module that summarizes those network connections that are ranked highly anomalous by the anomaly detection module.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
Attribution and Aggregation of Network Flows for Security Analysis | 2008-01-01 | Dartmouth College |
| This paper describes a network flow analyzer that is capable of attribution and aggregation of different flows into single activity events for the purposes of identifying suspicious and illegitimate behaviors. Flows are correlated with security events using the Process Query System (PQS) infrastructure. This paper shows results from initial experiments and describes plans for extending the effort. The correlation of networks flows with security events appears to have high potential for aggregating disparate network and host activity and for classifying network activity as either benign or suspicious.
Tags: Security Management, Security Tools |
|||
|
A High-Performance Network Intrusion Detection System | 2008-01-01 | Iowa State University |
| This paper presents a new approach for network intrusion detection based on concise specifications that characterize normal and abnormal network packet sequences. The specification language is geared for robust network intrusion detection by enforcing a strict type discipline via a combination of static and dynamic type checking. Unlike most previous approaches in network intrusion detection, the authors approach can easily support new network protocols as information relating to the protocols are not hard-coded into the system. Instead, suitable type definitions are added in the specifications and define intrusion patterns on these types. These specifications are compiled into a high-performance network intrusion detection system.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
A Target-Centric Ontology for Intrusion Detection | 2008-01-01 | university of maryland |
| This paper has produced an ontology specifying a model of computer attacks. The ontology is based upon an analysis of over 4,000 classes of computer intrusions and their corresponding attack strategies and is categorized according to: system component targeted, means of attack, consequence of attack and location of attacker. The author argues that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack. The paper presents the model as a target-centric ontology that is to be refined and expanded over time. The benefits of forgoing dependence are stated upon taxonomies, in favor of ontologies, for the classification of computer attacks and intrusions.
Tags: Security Tools, Intrusion Detection Systems |
|||
|
Secure "Selecticast" for Collaborative Intrusion Detection Systems | 2008-01-01 | Columbia University |
| The problem domain of Collaborative Intrusion Detection Systems (CIDS) introduces distinctive data routing challenges, which the paper shows are solvable through a sufficiently flexible publish-subscribe system. CIDS share intrusion detection data among organizations, usually to predict impending attacks earlier and more accurately, e.g., from Internet worms that tend to attack many sites at once. CIDS participants collect lists of suspect IP addresses, and want to be notified if others are suspicious of the same addresses. The matching must be done efficiently and anonymously, as most organizations are reluctant to share potentially revealing information about their networks. Alerts regarding external probes should only be visible to other CIDS participants experiencing probes from the same source(s).
Tags: Security Tools, Intrusion Detection Systems |
|||
|
Towards a High-Speed Router-Based Anomaly/Intrusion Detection System | 2008-01-01 | Northwestern University |
| Traffic anomalies and attacks are commonplace in today's networks, and identifying them rapidly and accurately is critical for large networks. With the rapid growth of network bandwidth and fast emergence of new attacks/worms, existing network Intrusion Detection Systems (IDS) are insufficient for the following two reasons. First, they are mostly host-based or located on low-end routers, and not scalable to high-speed networks. However, it is crucial to identify fast propagation of worms in their early phases, which can only possibly be achieved by detection at high speed edge/backbone routers instead of at end hosts. Unfortunately, the existing schemes are not scalable to the link speeds and number of flows for high-speed networks.
Tags: Security Tools, Intrusion Detection Systems |
What's important from our sponsors
Webcast: Maximizing Data Protection with Disk-Based Backup
Receive a complimentary copy of the IDC Analyst Connection when you sign up
Sponsored by
Cutting-edge technology from premium sponsors
HP Simply StorageWorks D2D Backup System
Explore this disk-to-disk backup system that is fully automated and provides reliable data protection for your business.
- ZDNet.com |
- ZDNet Japan |
- ZDNet.de |
- CNET UK |
- CNET.de |
- Tech Republic |
- BNET |
- MP3.com |
- activeTechPros |
- ZDNet UK |
- ZDNet Korea |
- ZDNet France |
- CNET Australia |
- CNET France |
- Download.com |
- Builder |
- GameSpot
- ZDNet Australia |
- ZDNet Taiwan |
- CNET |
- CNET Taiwan |
- News.com |
- Silicon.com |
- TV.com |
- GameSpot Korea
News |
Insight |
Reviews |
TechGuides |
Jobs |
Blogs |
Videos |
Community |
Downloads |
IT Library |
Copyright © 2008 CNET Networks, Inc. All rights reserved. Privacy Policy.
