State of the Art in Anomaly Detection and Reaction

Abstract

This paper presents a view of the state of the art in anomaly detection and reaction (ADR) technology. The paper develops the view from six sources: three prior reports (two national, one MITRE), a survey of commercially available software, a survey of government software, and a survey of government-funded research projects. ADR encompasses the automated capabilities that can detect or find anomalies in computer systems, report them in useful ways, remove discovered anomalies, and repair damage they may have caused. Included in this scope of interest are traditional intrusion detection and reaction tools. The broader scope of anomaly detection and reaction also includes vulnerability scanners, infraction scanners, and security compliance monitors. These tools protect not only against intruders but against errors and carelessness in administration and operation of end systems and network components. This synopsis draws on the following sources of information: (1) the National Info-Sec Technical Baseline report on intrusion detection and response; (2) the description of the state of the art in network-based intrusion detection systems in a report of Hill and Aguirre; (3) the report of the Intrusion Detection Subgroup of the National Security Telecommunications Advisory Committee on the implications of intrusion detection technology research and development on national security and emergency preparedness; (4) product descriptions of commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) ADR systems; and (5) descriptions of current research in anomaly detection and reaction. Tables show intrusion detection tools by product type and architecture, provide commentary on issues in ADR, present the main thrust of numerous research efforts in ADR, and provide a condensation of the state of the art in ADR.

Document Details

Document Type

Technical Report

Publication Date

Jul 01, 1999

Accession Number

ADA459588

Entities

Tags