Integration of Next-Generation Intrusion Detection System/Event Monitoring Enabling Responses to Anomalous Live Disturbances (NIDES/EMERALD) Intrusion Detection Engines with the International Office of Standardization (ISO) Architecture

Abstract

This report describes the expert-system-based intrusion detection technologies developed in the EMERALD program, and the research and experimentation performed with those components. The forward-reasoning expert-system tool P-BEST, which has been used to build signature-analysis engines for IDES, NIDES and now EMERALD, is described in detail. We show how data from network traffic interception, from host operating system audit trails, and from critical applications can be analyzed by P-BEST-based applications for real-time intrusion detection. The host-based and network-based intrusion detection monitors that we built have participated in various evaluations and experiments, confirming their detection capabilities and general applicability. We conclude that EMERALD's expert-system approach to misuse detection is well suited for the complex event analysis needed for wide attack coverage and near-zero false alarm rates.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Feb 01, 2002
Accession Number
ADA402446

Entities

People

  • Phillip A. Porras
  • Ulf Lindqvist

Organizations

  • SRI International

Tags

Communities of Interest

  • C4I
  • Cyber
  • Energy and Power Technologies
  • Ground and Sea Platforms

DTIC Thesaurus Topics

  • Application Protocols
  • Computer Networks
  • Computer Program Documentation
  • Computer Program Reliability
  • Computer Programming
  • Computer Programs
  • Computers
  • Cybersecurity
  • Database Management Systems
  • Denial Of Service Attack
  • Detectors
  • Intrusion Detection
  • Intrusion Detectors
  • Network Protocols
  • Network Science
  • Operating Systems
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Sensor Fusion and Tracking Systems.
  • Software Engineering.