Windows NT Attacks for the Evaluation of Intrusion Detection Systems

Abstract

The 1999 DARPA Off-Line Intrusion Detection Evaluation provided a standard corpus for evaluating intrusion detection systems. It improved on the 1998 evaluation by providing training data containing no attacks to train anomaly detection systems, scoring systems on attack identification in addition to attack detection, simplifying scoring and verification procedures, providing a written security policy, and performing more detailed analysis of missed detections and false alarms. It also introduced more stealthy attacks, insider attacks, and attacks against the Windows NT operating system. The focus of this thesis is the integration of Windows NT systems, background traffic, and attacks into the 1999 evaluation. Three Windows NT systems were added to the original test bed network: a victim machine, an outside attacker machine, and an insider attacker machine. The victim machine is a server with 92 user accounts, telnet, FTP, email, and web services, and security auditing. UNIX scripts from the 1998 evaluation were modified to create Windows NT background traffic. In addition, web traffic originating from the server was automated by developing a Javascript program called AutoBrowser. A realistic and relatively comprehensive set of 12 Windows NT attacks was developed for the 1999 evaluation. The set includes denial-of-service attacks, remote-to-local attacks, user-to-root attacks, probe attacks, insider attacks, console-based attacks, a man-in-the-middle attack, and an attack using macro code in a Microsoft application. Signatures in network traffic and Windows NT host data were analyzed for each attack. A PERL program called NTAD (ntaudit-detect.pl) was developed to evaluate the detectability of the Windows NT attacks in audit log data. NTAD successfully used the attack signatures to detect attack instances in Windows NT audit logs collected during the evaluation.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2000
Accession Number
ADA529610

Entities

People

  • Jonathan Korba

Organizations

  • Massachusetts Institute of Technology

Tags

Communities of Interest

  • Cyber
  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Basic Programming Language
  • Computer Networks
  • Computer Program Documentation
  • Computer Programs
  • Computer Science
  • Computers
  • Cybersecurity
  • Debugging
  • Detection
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Network Topology
  • Operating Systems
  • Test And Evaluation
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Database Systems and Applications
  • Sensor Fusion and Tracking Systems.