Re: The intrusion detection report from TIS
Justin Lister (ruf@osiris.cs.uow.edu.au)
Sat, 6 Aug 1994 03:13:48 +1000 (EST)
> > Summary of the Trusted Information Systems (TIS) Report on Intrusion
> > Detection Systems - prepared by Victor H. Marshall
> > ********************************************************************
> > INTRUSION DETECTION IN COMPUTERS
> > January 29, 1991
> This report was dated early '91, the information contained within is
> meaningless today.
I wonder whether the developers would appreciate that statement, but
you are probably correct. I think it is helpful though, as alot of
the members of the list might not have much of any idea of the history
of ids.
[ haystack deleted ]
> Since then, Steve Smaha at Haystack Labs has come out with a product called
> "Stalker" which does a *VERY* (IMHO) nice job of auditing a network of
> Sun workstations. A bit pricey, but a great deal of research has been put
> into it, so it's worth it if you can afford it.
Unfortuneatly cost will always restrict general accessibility to such systems.
Do you know if there has been any information that has been released about
Stalker ? If not it might be a good idea to get him onto the list, maybe
we can get some info off him then.
> > (4) Intrusion-Detection Expert System (IDES). The
> > IDES model was developed by SRI International in 1985 and has
> > been implemented on Sun workstations as a research prototype
> > under a contract with the U.S. Navy (SPAWAR). A version of IDES
> > for IBM mainframes (using the MVS operating system) will soon be
> > implemented under a contract with the Federal Bureau of
> > Investigation (FBI). IDES is designed to be easily implemented
> > in many different environments. The IDES model has been the
> > basis for most intrusion detection research to date and it forms
> > the conceptual basis for Haystack, MIDAS, and W&S. (NOTE:
> > Haystack was covered above. MIDAS and W&S are covered below.)
> I don't think IDES has ever been put into production, and is still
> (after 9 years) VERY experimental. Feel free to correct me if you're
> on the IDES project (or NIDES for that matter).
Considering the amount of research in the IDES-> NIDES systems, I think we
can safety assume that it will never be available to the masses (I may be
wrong), but I would think the complexities of the system would ensure it is
out of reach of the less experienced system administrators.
> > (7) Network Anomaly Detection and Intrusion Reporter
> > (NADIR). NADIR was developed by the Department of Energy"s Los
> > Alamos National Laboratory (LANL) in 1989 to analyze data from a
> > unique LANL Network Security Controller (NSC). There are no
> > plans to modify NADIR for use in other systems.
> This is my pet project. On January 1st, stage one of UNICORN (Unicos
> Real-time NADIR) and KNADIR (Kerberos NADIR) will be finished and
> be in production here at LANL. UNICORN works with Unicos security audit
> records and does a good deal of Unix generic vulnerability testing.
> KNADIR works with a slightly modified Kerberos v4 audit record (we just
> made it a little more thorough).
You wouldn't happen to have any copies of tech reports or conference papers
on NADIR that you could send me ? Electronic versions would be more favourable
(1. cost of distn, 2. can store in archives for others). Offcourse any
information that you can release on UNICORN would be valuable.
On the subject of papers - if anyone has any papers either electronic or
paper I would be very greatful if you could send a copy here. We could
probably find someone to scan some documents (any volunteers ?). Though it
might be easier to track down electronic version from the authors.
> > (8) Network Security Monitor (NSM). An NSM prototype
> > was recently developed by the University of California Davis
> > (UCD) and is currently running on a Sun 3/50. NMS was designed
> > to analyze data from an Ethernet local area network (LAN) and the
> > hosts connected to it. NSM is a research system, but UCD hopes
> > to eventually expand it's scope to include real environments,
> > real attacks, and perhaps wide area networks.
> Since then this has become NIDS. If you're a member of the DOE or DOD
> you can get this for free (through CIAC or DISA's ASSIST).
Shucks, guess I miss out again.
> It does a lot
> of nice analysis of raw data. I think there are some major features missing
> (it's based mostly on the analysis of strings going by on the network), but
> it's a nice system to play with, and if you have a lot of free time, to run
> in production...
How did the Distributed Intrusion Detection System (DIDS) progress, I only
have the design goals (those from UCD might want to fill me in). Has the
prototype been completed yet ? (Started in 91 ?)
> > (9) W&S. W&S is an anomaly detection system that has
> > been under development at LANL for the NCSC and DOE since 1984.
> > W&S runs on a UNIX workstation and can analyze data from several
> > different systems.
Remember trying to understand how the tree forest was constructed and pruned
was quite a difficult task (only reference at the time was the article from
computers and security "Intrusion Detection: Its Role and Validation" ). I
believe those working on SRI statistical component (Javitz and Valdes) also
had the same problems - stated in The NIDES statistical component: Description
and Justification.
> There is a newer project based on this here, but it's in it's first few
> months of development. The original W&S was bought on a tech transfer by
> one of the original authors. LANL has nothing to do with it anymore.
> Basically, W&S looks at a dataset and tries to generate meta-rules about
> the data. Then, when presented with new datasets, it applies these meta-rules
> to detect anomalies.
Thank you for the outline of current developments, being outside the US and
with few contacts makes it difficult to follow the progession of work.
> -Mike
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-330 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | LiNuX - the only justification for using iNTeL |
+---------------------+--------------------------------------------------+