introduction and NIDES info

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: jtruitt@dw3f.ess.harris.com: "Re: The intrusion detection report from TIS"
• Previous message: Grant Miller: "Introduction"

I'm Teresa Lunt and for the last 8 years or so have been working on
a series of increasingly capable experimental intrusion detection systems
here at SRI.  Our newest system, NIDES, is now available in beta release
at no cost.  For a very limited time, we are also making a one-week
hands-on free training course available.

Since I will be leaving SRI temporarily to take a job at ARPA as a program
manager in computer security (tlunt@arpa.mil), in my absence Debra Anderson
(debra@csl.sri.com) is the point of contact here at SRI for NIDES.

NIDES is a comprehensive intrusion-detection system that performs real-time
monitoring of user activity on a set of target system computers and
detects unusual and suspicious user behavior in real time on those target
systems.  NIDES runs on its own workstation and analyzes audit data
characterizing user activity collected from monitored systems to detect a
variety of suspicious user behavior.  

NIDES performs two types of analysis.  Its statistical analysis maintains
historical statistical profiles for each user and raises an alarm when
observed activity departs from established patterns of use for an
individual.  The historical profiles are updated regularly, and older data
"aged" out with each profile update, so that NIDES adaptively learns what
to expect from each user.  This type of analysis is intended to detect
intruders masquerading as legitimate users.  Statistical analysis may also
detect intruders who exploit previously unknown vulnerabilities who could not
be detected by any other means.  Statistical anomaly detection can also turn
up interesting and unusual events that could lead to security-relevant
discoveries upon investigation by a security officer.  The statistical
analysis is customizable: several parameters and thresholds can be changed
from their default values, and specific intrusion-detection "measures"
(the aspects of behavior for which statistics are kept) can
be turned on or off.

NIDES' rulebased analysis uses rules that characterize known intrusion types
to raise an alarm if observed activity matches any of its encoded rules.
This type of analysis is intended to detect attempts to exploit known
security vulnerabilities of the monitored systems and intruders who exhibit
specific patterns of behavior that are known to be suspicious or in violation
of site security policy.  Observed activity that matches any of these
predefined behaviors is flagged.  Unlike most competing systems, the NIDES
rulebase is customizable: new rules can be defined and compiled into the
running system, and existing rules can be turned on or off.  Although NIDES
comes with a limited rulebase designed for Sun UNIX operating systems, you will
want to customize the rulebase for your particular environment and to keep it
up to date with the changing vulnerabilities of new system releases and
discovered vulnerabilities of current releases.

Most competing intrusion-detection systems rely heavily on rulebased
analysis and perform only minimal statistical analysis.  
Because the intrusive behaviors detected by a rulebased system
are limited to those that the knowledge source knows about (seasoned
intruders may know of others), the combination of the statistical and
rulebased approaches is intended to provide comprehensive coverage, providing
the ability to detect specific actions that are known to be suspicious (via
the rulebased component),as well as masqueraders and unanticipated or unknown
intrusion methods (via the statistical component).

The NIDES resolver screens the alarms generated by the statisical and
rulebased components before reporting them to the security officer, to avoid
flooding the security officer with redundant alarms.  Alerts can be reported
to the NIDES console or to a list of email recipients.  Some
user-configurable filters are also provided.  For example, you can turn off
alert reporting for specific users, if you know they will be doing something
unusual and would otherwise generate a lot of false alarms.  Although
filtered alerts are not reported, they are still logged.

NIDES includes an archive facility that stores audit records, analysis
results, and alerts, and allows browsing of this archive.  NIDES also
includes a system monitoring facility that displays information on monitored
systems, status of the audit data archiver, a daily summary of system
throughput, and a daily summary of alert generation.

NIDES also includes a test facility that allows a security officer to
experiment with new statistical parameter settings or new rulebase
configurations before committing them to the running NIDES.  The NIDES user
may construct test data sets from the audit record archive for a specific
time window and set of user names.  The candidate rulebase and statistical
parameters can then be tested against these test data sets concurrent with
the running NIDES.  Test results are archived for comparison.

NIDES can operate either in real time, for continuous monitoring and analysis
of user activity, or in batch mode, for periodic batch analysis of audit
data.  NIDES can monitor numerous, possibly heterogeneous, machines.  The
monitored systems provide audit data to NIDES for analysis.  A process that
runs on each monitored system converts audit data in the monitored system's
native audit record format to a generic audit data format used by NIDES and
(in real-time mode) transmits the NIDES-formatted audit data to NIDES.  NIDES
receives data from multiple monitored systems and coalesces the data into a
single audit record stream for analysis.  Because NIDES uses a generic audit
record format, it is easily adapted to monitor new system types by writing a
simple audit data mapping routine (mapping routines for some system types are
already available).

NIDES includes a user interface written using the MOTIF toolkit to operate
under the X-Window system.  Access to the various NIDES functions is provided
via pulldown menus, point-and-click selections, and occasional text entry.
An extensive multitiered context-sensitive help system is included.  NIDES
also includes a comprehensive user's manual and tutorial.

NIDES runs on most Sun Sparcstations.

Evaluation copies of the NIDES beta release are being offered at no charge.
You should contact Debra Anderson (debra@csl.sri.com).

• Next message: jtruitt@dw3f.ess.harris.com: "Re: The intrusion detection report from TIS"
• Previous message: Grant Miller: "Introduction"