Re: New to IDS and desperately seeking info
Justin J. Lister (ruf@SPi)
Mon, 30 Jan 1995 08:37:34 +1100 (EST)
"Andrew Cowell wrote:"
>I've lurked on the list for a while, and have never seen a FAQ or the
>bibliography promised in the majordomo info for the list. Are these
>available? It has recently come to my attention that we really need
>some sort of IDS here.
1. FAQ - I have been meaning to work on this, unfortunately something
else always comes up. B(
I should start working on it soon. If anyone has any questions,
suggestions or contributions for the FAQ please email them directly to
me. Any contributions are greatly appreciated.
Some of the things I think would be useful for the FAQ:
- list of general questions/answers about intrusion detection and
methods/system developments.
- list of resources (ie. e-papers, tools, pointers; ftp,www).
- section on research groups working on intrusion detection systems.
Essentially introduction to the group and their work in intrusion
detection, some pointers to current (and historical) system
developments would be useful. Any www pointers/email contacts for
queries etc.
- bibliography of works in intrusion detection and related computer
security documentation.
2. Bibliography - A collection of my bibliographies was mailed to the
list in the early stages. I have been trying to establish a ftp/www
archive for the mailing list. (I should know more about this in a week
or so). For now you can try ftp'ing to osiris.cs.uow.edu.au:4001
(anonymous/email address). This is just a modem link so it will be a
little slow, and occasionally disconnected. If you have any problems
connecting email me. Look in /pub/security/ids.
>Anyway, here's what particular information I am looking for:
>What freely available IDS's are there?
1. NIDES beta - contact debra@csl.sri.com for more information.
2. NID - only available to DoD/DoE contact Bob Palasek (NID Project
Leader) at (510) 422-8527 or palasek@llnl.gov, for more information.
3. ASAX - ftp ftp.info.fundp.ac.be can contact developers for
questions, bug fixes, etc at asax@info.fundp.ac.be.
[ If anyone knows of any other available systems please send me
details. ]
>How low level are they? Do they mostly deal with user logins, or are
>there tools that can do net traffic analysis?
Some are quite sophisticated (there is also a wide variety/number of
systems). Most analyze user login patterns but also a large number of
other user profiling measures are used.
I am also making my thesis ``Intrusion Detection Systems: An
Introduction to the Detection and Prevention of Computer Abuse''
available (I am working on expanding it as a guide - any
corrections/suggestions/contributions are welcomed). Also can be
obtained by ftp'ing to osiris.cs.uow.edu.au:4001
/pub/security/ids/ps/thesis-lis95.
>What is the mathematical analysis behind it? (I'm slack on
>statistics, etc...so pointers to specific algorithms or papers would
>be nice)
Look in the bib files in /pub/security/ids/bib for references.
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-327 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+