I'm Teresa Lunt and for the last 8 years or so have been working on a series of increasingly capable experimental intrusion detection systems here at SRI. Our newest system, NIDES, is now available in beta release at no cost. For a very limited time, we are also making a one-week hands-on free training course available. Since I will be leaving SRI temporarily to take a job at ARPA as a program manager in computer security (tlunt@arpa.mil), in my absence Debra Anderson (debra@csl.sri.com) is the point of contact here at SRI for NIDES. NIDES is a comprehensive intrusion-detection system that performs real-time monitoring of user activity on a set of target system computers and detects unusual and suspicious user behavior in real time on those target systems. NIDES runs on its own workstation and analyzes audit data characterizing user activity collected from monitored systems to detect a variety of suspicious user behavior. NIDES performs two types of analysis. Its statistical analysis maintains historical statistical profiles for each user and raises an alarm when observed activity departs from established patterns of use for an individual. The historical profiles are updated regularly, and older data "aged" out with each profile update, so that NIDES adaptively learns what to expect from each user. This type of analysis is intended to detect intruders masquerading as legitimate users. Statistical analysis may also detect intruders who exploit previously unknown vulnerabilities who could not be detected by any other means. Statistical anomaly detection can also turn up interesting and unusual events that could lead to security-relevant discoveries upon investigation by a security officer. The statistical analysis is customizable: several parameters and thresholds can be changed from their default values, and specific intrusion-detection "measures" (the aspects of behavior for which statistics are kept) can be turned on or off. NIDES' rulebased analysis uses rules that characterize known intrusion types to raise an alarm if observed activity matches any of its encoded rules. This type of analysis is intended to detect attempts to exploit known security vulnerabilities of the monitored systems and intruders who exhibit specific patterns of behavior that are known to be suspicious or in violation of site security policy. Observed activity that matches any of these predefined behaviors is flagged. Unlike most competing systems, the NIDES rulebase is customizable: new rules can be defined and compiled into the running system, and existing rules can be turned on or off. Although NIDES comes with a limited rulebase designed for Sun UNIX operating systems, you will want to customize the rulebase for your particular environment and to keep it up to date with the changing vulnerabilities of new system releases and discovered vulnerabilities of current releases. Most competing intrusion-detection systems rely heavily on rulebased analysis and perform only minimal statistical analysis. Because the intrusive behaviors detected by a rulebased system are limited to those that the knowledge source knows about (seasoned intruders may know of others), the combination of the statistical and rulebased approaches is intended to provide comprehensive coverage, providing the ability to detect specific actions that are known to be suspicious (via the rulebased component),as well as masqueraders and unanticipated or unknown intrusion methods (via the statistical component). The NIDES resolver screens the alarms generated by the statisical and rulebased components before reporting them to the security officer, to avoid flooding the security officer with redundant alarms. Alerts can be reported to the NIDES console or to a list of email recipients. Some user-configurable filters are also provided. For example, you can turn off alert reporting for specific users, if you know they will be doing something unusual and would otherwise generate a lot of false alarms. Although filtered alerts are not reported, they are still logged. NIDES includes an archive facility that stores audit records, analysis results, and alerts, and allows browsing of this archive. NIDES also includes a system monitoring facility that displays information on monitored systems, status of the audit data archiver, a daily summary of system throughput, and a daily summary of alert generation. NIDES also includes a test facility that allows a security officer to experiment with new statistical parameter settings or new rulebase configurations before committing them to the running NIDES. The NIDES user may construct test data sets from the audit record archive for a specific time window and set of user names. The candidate rulebase and statistical parameters can then be tested against these test data sets concurrent with the running NIDES. Test results are archived for comparison. NIDES can operate either in real time, for continuous monitoring and analysis of user activity, or in batch mode, for periodic batch analysis of audit data. NIDES can monitor numerous, possibly heterogeneous, machines. The monitored systems provide audit data to NIDES for analysis. A process that runs on each monitored system converts audit data in the monitored system's native audit record format to a generic audit data format used by NIDES and (in real-time mode) transmits the NIDES-formatted audit data to NIDES. NIDES receives data from multiple monitored systems and coalesces the data into a single audit record stream for analysis. Because NIDES uses a generic audit record format, it is easily adapted to monitor new system types by writing a simple audit data mapping routine (mapping routines for some system types are already available). NIDES includes a user interface written using the MOTIF toolkit to operate under the X-Window system. Access to the various NIDES functions is provided via pulldown menus, point-and-click selections, and occasional text entry. An extensive multitiered context-sensitive help system is included. NIDES also includes a comprehensive user's manual and tutorial. NIDES runs on most Sun Sparcstations. Evaluation copies of the NIDES beta release are being offered at no charge. You should contact Debra Anderson (debra@csl.sri.com).