State of the Practice of Intrusion Detection Technologies

Appendix D Review of Selected IDS Literature

This appendix is a resource that allows interested readers quick access to documents relevant to their needs. Table D-1 in this appendix provides a road map to the subsequent literature review. Reviews are grouped together according to main and sub-topics. Many of the materials we reviewed are available only on the Web so there is no guarantee that their URLs are still valid; however, we are maintaining a hard copy of all the material reviewed from Web references mentioned in this appendix.

***Table D-1: Summary of literature review***
Main Topic	Sub-topic	Subject Matter
1. Surveys		Provides an overview of the status of ID technology.
	1.1 General	Identifies and summarizes techniques and approaches used in ID systems.
	1.2 Tools	Identifies and summarizes characteristics of specific ID tools.
2. Taxonomies		Provides a means for synthesizing knowledge about the subject of intrusion.
	2.1 Intrusion types	Defines a structured framework for comparing and reasoning about different approaches to intrusion.
	2.2 Intrusion methods	Defines a structured framework for comparing and reasoning about different methods for detecting signs of intrusion.
	2.3 Glossaries	Provides a definition of terms relevant to ID.
3. Testing and evaluation		Provides a resource area for those who wish to perform evaluations on ID systems.
	3.1 Product reviews	Provides examples of recent IDS reviews.
	3.2 Vendor questions	Identifies questions to ask before purchasing an IDS.
	3.3 Testing methodologies	Identifies resources (techniques and data) to support a test program.
	3.4 IDS vulnerabilities	Describes weaknesses that ID systems have to being compromised.
4. Research		Provides insights into the evolution of ID technology, and where is it headed.
	4.1 Methods	Reviews significant conceptual approaches to ID.
	4.2 Products	Reviews tools that have pioneered new ID techniques.
5. Commercial products		Reviews primarily commercial literature on current ID systems and their capabilities.
6. ID directions		Discusses issues with current systems and where the research and commercial communities are focussing their efforts.

D.1 Surveys

General surveys

The following papers review general information in intrusion detection. They focus on underlying methods, problems with ID systems, pros and cons of different approaches, adoption issues, etc. They may discuss specific tools but that is not their main focus.


Topic	General ID survey - paper 1
Title	First International Workshop on the Recent Advances in Intrusion Detection
Author(s)/date	Multiple, 1998
Affiliation	Sponsored by IBM, and Joint Research Center of the European Community
Reference	http://www.zurich.ibm.com
Discussion	This workshop brought together leading academic, government and industry players in the ID arena. Presentations covered a comprehensive set of topics associated with intrusion detection including technology advancements, experiences, legal matters, tool development etc. The above reference points to a Web page that summarizes all the presentations.


Topic	General ID survey - paper 2
Title	A Survey of Intrusion Detection Techniques
Author(s)/data	Teresa F. Lunt, SRI International, 1993
Affiliation	SRI International
Reference	Computers and Security, 12 pp 405-418
Discussion	Lunt describes some of the techniques that SRI was exploring in the early 1990s and how these techniques were being tested in the IDES system. A major focus of these explorations was the statistical detection of computer usage patterns that do not correspond to normal user behavior (i.e., anomalies that may indicate intrusion). She also describes some of the early work on the use of expert systems to detect patterns of misuse, for example, password guessing. It was recognized, however, that the expert system "will be no better than the knowledge and the reasoning principles it incorporates," and that "an obvious limitation is that we are looking for known vulnerabilities." In addition to describing the use of statistical and expert system approaches, Lunt reviews the use of neural networks, model-based reasoning, and key-stroke dynamics as techniques being researched to support the detection of unauthorized computer use.


Topic	General ID survey - paper 3
Title	An Introduction to Intrusion Detection
Author(s)/date	Aurobindo Sundaram, 1996
Affiliation	Purdue University
Reference	http://www1.acm.org/crossroads/xrds2-4/intrus.html
Discussion	This introduction to ID covers the basic issues, describing the need and the major approaches that have been used or are being researched. In this way Sundaram reviews anomaly and misuse detection and methods. Under the anomaly category, he reviews training the system through statistical approaches, predictive patterns, and neural networks. Under the misuse category he identifies: rule matching through expert systems; keystroke monitoring, where particular key-strokes combinations may be indicative of a intrusion attempt; model-based ID; and state transition analysis, where the temporal sequence of an attempted intrusion is taken into account. He ends by stating that "intrusion detection is still a fledgling field of research."


Topic	General ID survey - paper 4
Title	Languages and Tools for Rule-Based Distributed Intrusion Detection
Author/date	Abdelaziz Mounji, 1997
Affiliation	Facultes Universitaires Notre-Dame de la Paix Namur
Reference	ftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Z (requires login)
Discussion	This dissertation describes a rule-based language called RUSSEL. However, Chapter 2 provides a good review of related work in intrusion detection. Mounji discusses, and provides examples of, tools that employ either the anomaly or misuse approach, and methods that support these approaches. Thus he identifies neural networks, predictive pattern recognition and data clustering as examples of techniques supporting anomaly detection. Within the misuse category he identifies rule base expert systems, state transition, and colored Petri nets as possible approaches. He also identifies benefits and drawbacks of the anomaly approach. Within the misuse category, he only discusses benefits and drawbacks of STAT, a tool that uses a state-transition approach to misuse detection. He concludes the section with a discussion of the current problems of ID systems.


Topic	General ID survey - paper 5
Title	Network- vs. Host-based Intrusion Detection
Author/date	N/A, 1998
Affiliation	Internet Security System
Reference	http://www.iss.net/prod/whitepapers/
Discussion	This short paper is not a survey as the above papers are, but instead "surveys" the characteristics of host and network systems. It provides useful information into the strengths of each approach. Since this is a vendor paper it is not surprising that weaknesses are not identified, although one might imply that the strengths of one approach could be the weaknesses of the other.


Topic	General ID survey - paper 6
Title	An Introduction to Intrusion Detection and Assessment
Author	Rebecca Base, 1999
Affiliation	Infidel, Inc.
Reference
Content	This very readable report provides current (circa 1999) information on a broad range of issues on intrusion and "explains how ID and vulnerability assessment products fit into the framework of security products." Thus it provides context as to where ID systems fit within the broader scope of computer security, and what ID systems can and cannot do. It also surveys pros and cons on different choices such as selection of a host or network-based system, batch or real time system and signature (anomaly) or statistical (misuse) analysis method. The paper concludes with a useful glossary of terms, but as it is primarily intended as a high-level introduction, does not go into much technical detail.

Tool surveys

While the underlying approaches to ID have some stability, the implementations are rapidly evolving and vendors' products are in constant flux. Thus it is difficult to provide information that does not quickly become obsolete. With that caveat, the following resources provide information on ID tools. We begin by identifying these resources that are primarily lists. These lists tend to mix commercial and research products.


Topic	General IDS resource lists
Title	Intrusion Detection
Author/Date	J. Green, 1998
Title	Michael Sobirey's Intrusion Detection Systems page
Author/Date	M. Sobirey, 6-6-99 (current update)
Affiliation	Security Networks AG
Reference	http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
Title	SANS/NSA Intrusion Detection Tools Inventory
Author/Date	G. Stocksdale, Spring 1998 (no longer updated)
Affiliation	NSA Information Systems Security Organization
Reference	http://www.sans.org/NSA/idtools.htm
Discussion	These resources provide pointers to ID tools. The IATAC list is available only in paper but can be ordered through the Web site. However, there are restrictions on who can order the report (see Web site for details). A summary of this list can be found in the IATAC Newsletter Vol 1, No. 3, (also see Web site for details).


Topic	DARPA research
Title	Survivability of Large Scale Systems
Author(s)	Many, as multiple projects are reviewed
Affiliation	DARPA
References	http://www.darpa.mil http://www.darpa.mil
Content	These Web pages provide information on what Intrusion Detection Systems DARPA is funding, and in turn provide pointers both to summaries of the work and to the responsible organizations. The latter two URLs point to agendas of DARPA meetings where presentations were given on tools and other activities related to DARPA-funded projects in ID. These agendas point to relevant IDS representations.


Topic	Summary of research and commercial tools
Title	Network Intrusion detection
Author(s)/date	B. Mukherjee, L. T. Heberlein, and K. N. Levit, 1994
Affiliation	UC Davis
References	IEEE Network May/June 1994 http://seclab.cs.ucdavis.edu
Discussion	This paper provides a useful summary of many research and commercial tools. The paper is organized into host-based and network-based systems. Each tool review is structured into an overview, a system organization description and a system operation description. The host-based systems covered include Computer Watch, Discovery, HAYSTACK, IDES, ISOA, MIDAS, and Wisdom & Sense. Networked systems include IDES, NADIR, as well as more detailed descriptions of NSM and DIDS. The paper concludes by providing a case study of the algorithmic approach used in HAYSTACK.

D.2 Taxonomies

Intrusion detection is still an immature discipline and has yet to establish a commonly accepted semantic framework. Several different classifications of intrusions types have been proposed, as have different ways of classifying ID methods. A commonly accepted vocabulary is still absent. This section identifies papers that address these issues: classification of intrusion types, classification of ID methods, and glossaries of computer intrusion terms.

Taxonomies of intrusion attacks


Topic	A taxonomy of intrusion approaches - paper 1
Title	A Summary of Computer Misuse Techniques
Author(s)	P. G. Neumann, D. B. Parker, 1989
Affiliation	SRI International
Reference	NIST/NCSC 12th Annual Computer Security Conference
Discussion	This paper describes a classification of approaches to computer intrusion. The approach was developed on the basis of 3000 cases that were collected since 1970, and so has a solid practical foundation. The paper identifies nine basic misuse techniques. These span issues ranging from the non-technical (e.g., physical scavenging and spying); to bypassing intended controls (e.g., password guessing and exploitation of incomplete error handling); to preparatory explorations in anticipation of intrusion (such as seeking matches to encrypted password files). The paper raises the issues of collaborative misuse (where multiple individuals, each having different user privileges, are required for perpetrating misuse); effects of misuse (such as compromise of national security or even death); and motivations for misuse (such as espionage or peer pressure or financial gain). Other issues such as skills required for perpetrating misuse, resources required, and avoidance, prevention, detection and recovery are briefly reviewed.


Topic	A taxonomy of intrusion approaches - paper 2
Title	How to Systematically Classify Computer Security Intrusions
Author(s)/date	U. Lindqvist, E. Johnnson, 1996
Affiliation	Chalmers University of Technology
Reference	http://www.ce.chalmers.se/staff/ulfl/pubs.html
Content	Lindqvist and Johnnson's paper describes a set of experiments-the objective "was to find operational measures of computer security, that is measures which reflect the dependence on and uncertainty of the operational environment in a probabilistic way." As a basis for their experiments they adapted the above taxonomy of Neumann and Parker. At the same time they developed a taxonomy of intrusion results based on the goals of computer security: confidentiality, integrity and availability. The experiments used 24 student "attackers" to attempt to creatively penetrate university network (with some restrictions on what they could do). They then correlated the frequencies of intrusion techniques with intrusion results. A conclusion from the paper is that "Some techniques have a one-to-one correspondence with the result, while other techniques can be used to reach many different kinds of results."


Topic	A taxonomy of intrusion approaches - paper 3
Title	An Analysis of Security Incidents on the Internet 1989-1995, Chapter 6: A Taxonomy of Computer and Network attacks
Author/date	J. D. Howard, 1997
Affiliation	CERT(R)/CC
Reference	http://www.cert.org/research/JHThesis/Chapter6.html
Discussion	While this thesis' main goal is to analyze internet incidents, it also provides a framework which supports this analysis. Howard reviews different types of taxonomies including lists of terms; lists of attack categories; lists of results categories; empirical lists (such as Neumann and Parker taxonomy above); two-dimensional correlations (such as Lindqvist and Johnnson's taxonomy, above); and process-based taxonomies which focus on temporal patterns. Howard proposes a taxonomy that fits within the latter category. This shows the sequential dependency between attackers, their tools, the access resulting from the use of these tools, the results generated from the access, and the attackers' objectives in using the results. Each category (e.g. tools) is subdivided into examples (e.g., toolkit).


Topic	A taxonomy of intrusion approaches
Title	A Taxonomy of Internet Attacks
Author/date	M. J. Ranum, no date
Affiliation	Network Flight Recorder, Inc.
Reference	http://www.clark.net
Discussion	A set of presentation slides that reviews and categorizes many of the methods used to attack computer networks. Quoting from the presentation, the following types of attacks are reviewed: social engineering (fooling the victim for fun and profit), impersonation (stealing access rights of authorized users), exploits (exploiting a hole in software or operation systems), transitive trust (exploiting host-host or network-network trust), infrastructure (taking advantage of protocol or infrastructure features of bugs), denial of service (preventing the system from being used), and magic (new things nobody as seen yet)

Taxonomies of intrusion detection methods


Topic	A taxonomy of ID methods - paper 1
Title	Towards a Taxonomy of Intrusion-Detection Systems
Author(s)/date	H. Debar, M. Dacier, A. Wespi, 1998
Affiliation	IBM
Reference	http://www.zurich.ibm.com
Discussion	This taxonomy defines four major characteristics of ID systems, and each characteristic is given two sub-categories. These four characteristics are: detection method (either behavior based or knowledge based); behavior on detection (either passive or active); audit source location (either host log files or network packets); and usage frequency (either continuous monitoring or periodic analysis). Each category and sub-category is described and examples are given. Problems, pros and cons are identified where appropriate. At the end of the paper, summary characteristics of 22 tools, with respect to their algorithmic approach and network/host capability, are provided.


Topic	A taxonomy of ID methods - paper 2
Title	Ain't Misbehaving¾a Taxonomy of Anti-Intrusion Techniques
Author(s)	L. R. Halme, R. K. Bauer, 1995
Affiliation	Arca Systems, Inc.
Reference	Proc 18th National Information Systems Security Conference, 1995
Discussion	This taxonomy provides a broad perspective on ID-related issues. The authors call the taxonomy AINT (Anti-intrusion Taxonomy) which is composed at the top level of six "mutually supportive" approaches. These are: prevention (precluding the likelihood of attack); preemption (striking offensively against an attacker); deterrence (inhibiting the initiation or continuation of an attack); deflection (deluding the intruder into believing he has succeeded); detection (identifying unauthorized from authorized use); and countermeasures (automatically countering an intrusion). The paper describes each of these categories.

Glossaries of computer intrusion terms

There are a number of glossaries on computer security but few that focus on intrusion detection. The criterion for inclusion in this category was that the glossary had to at least define the terms "anomaly" and "misuse." Sadly, only one glossary was found that met that criterion.


Topic	ID glossary
Title	SANS/NSA Glossary of Terms Used in Security and Intrusion Detection
Author/date	G. Stocksdale, 1998
Affiliation	NSA Information Systems Security Organization
Reference	http://www.sans.org/NSA/glossary.htm
Discussion	Provides definitions for over 200 terms used in computer security and intrusion detection

D.3 Testing and Evaluation

Four sub-categories are identified under Testing and Evaluation: product reviews, questions to ask vendors, testing methodologies, and ID systems vulnerabilities. (The latter category is included because it provide insights regarding what to test for.)

Product reviews

Trade magazines perform evaluations of variable quality¾some perform testing at reasonable depth while others only do qualitative surveys. By their nature, their evaluations become dated quite quickly due to the rapidly evolving technology. That being said, here are some references to representative evaluations (in chronological order):

***Table D-2: Magazine references***
Magazine	Review date	Products reviewed	Reference
Secure Computing	February 1999	AXENT eSafe everLink Entrax Notification SAFEsuite SecureWare Snow Vasco	http://194.202.195.4/securecomputing/1999_02/testc/products.html
ZDNet	February 1999	RealSecure SessionWall Kane Netprowler	http://www.zdnet.com/products/stories/reviews/0,4161,389071,00.html
DataComm	August 1998	SessionWall NFR NetRanger NFR RealSecure IDTrack	http://www.data.com/lab_tests/intrusion.html
PCWeek Online	June 1998	Entrax	http://www.zdnet.com/pcweek/ reviews/0615/15entrax.html
InfoWorld	May 1998	Abirnet SesionWall IBM solutions RealSecure NFR	Volume 20, Issue 18

Note that the DataComm review is the only one to describe a suite of ID tests that were performed. This might be useful to those wishing to perform their own evaluations. The PCWeek approach to the evaluation of software products (not just ID systems) can be found at http://www.zdnet.com/pcweek/reviews/meth.html .

Comments from these reviews indicated that while they perform a useful function, current-day ID systems are still immature. The DataComm reviewer states: "Sure, ID systems spot attacks as advertised--on empty networks. They also work well on heavily utilized Ethernet segments. But fill up a fast Ethernet segment with traffic and that vigilance vanishes; in fact, no product detected all the attacks when the network was heavily loaded." The InfoWorld reviewer commented, "By the end of our testing we were somewhat underwhelmed by the current state of the technology and its usefulness. In essence we see these solutions as little more than sophisticated packet analyzers."

Selection criteria A few papers provide useful information on what to ask prospective vendors. In particular the Computer Security Institute has two informative articles in this area.


Topic	Questions to ask vendors
Title	Tough Questions for IDS Vendors
Authors/date	C. Klaus (ISS), G. Spafford (COAST), L.Sutterfield of Cisco, M. Ranum (NFR), 1998
Affiliation	Computer Security Institute
Reference
Title	CSI Intrusion Detection System Resource
Author/date	R. Power and R. Farrow, 1998
Affiliation	Computer Security Institute
Reference
Title	CSI asks the tough questions
Author/date	N/A, 1998
Title	FAQ: Network Intrusion detection Systems
Author/date	Robert Graham, 1999
Affiliation	N/A
Reference
Title	A Selection Criteria for Intrusion Detection Systems
Author/date	E. Amoroso, R. Kwapniewski, 1998
Affiliation	AT&T Bell Labs
Reference	Proceedings of the 14th Annual Computer Security Applications Conference, Phoenix, Arizona, 1998
Discussion	The Centrax Corporation responds to the "tough" questions identified in the Computer Security Institute paper. The paper FAQ: Network Intrusion Detection Systems discusses some of these questions, providing some further insight. The latter paper covers a broad range of issues with ID systems. The last paper provides a set of criteria (structured into detection, response and deployment categories) for comparing and assessing ID systems. It contains an appendix that provides a vendor questionnaire.

Testing intrusion detection systems

One reflection of the lack of maturity in current ID systems is the lack of testing suites or methodologies. This section provides pointers to documents that have addressed these issues.


Topic	IDS testing at Lincoln Labs
Title	DARPA Intrusion Detection Evaluation
Author/date	R. Lippmann, M. Zissman, 1999
Affiliation	MIT Lincoln Labs
Reference	http://www.ll.mit.edu/IST/ideval/index.html
Title	1998 Project Summary - Intrusion Detection Technology Evaluation
Author/date	R. Lippmann, M. Zissman, 1998
Affiliation	MIT Lincoln Labs
Reference	http://www.darpa.mil
Title	Intrusion Detection System Evaluation
Author/date	R. Lippmann, M. Zissman, 1998
Affiliation	MIT Lincoln Labs
Reference	Information Assurance Newsletter Vol. 2, No. 2 (from the DoD sponsored Information Assurance Technology Analysis Center)
Discussion	These documents describe the work at Lincoln Labs for "collecting and distributing the first standard corpus for evaluation of computer network ID systems." These data will focus on measuring the "probability of detection and probability of false-alarm for each system under test."


Topic	IDS testing at UC Davis
Title	A Methodology for Testing Intrusion Detection Systems
Author/date	N. Puketza, K Zhang, M. Chung, B. Mukherjee, R. Olsson, 1995
Affiliation	University of California, Davis
Reference	http://seclab.cs.ucdavis.edu
Title	Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallel Intrusions
Author/date	N. Puketza, K Zhang, M. Chung, B. Mukherjee, R. Olsson, 1997
Affiliation	University of California, Davis
Reference
Title	A Software Platform for Testing Intrusion Detection Systems
Author/date	N. Puketza, K Zhang, M. Chung, B. Mukherjee, R. Olsson, 1997
Affiliation	University of California, Davis
Reference	http://seclab.cs.ucdavis.edu/papers.html This paper can also be found in IEEE Software, Sept/Oct, 1997
Discussion	These papers describe an IDS testing environment that simulates network traffic, both normal and malicious. It allows one to create scripts that can be recorded and played back in order to test different target ID systems with the same data. Two approaches to testing are allowed-sequential and concurrent. The former simulates one attacker while the latter simulates a cooperative attack originating form multiple locations. There are three categories of testing procedure: intrusion identification (focusing on the IDS ability to distinguish intrusions for normal behavior); resource usage (for evaluating the system resources used); and stress testing (to assess the ID System's ability to detect misuse under high load). The Network Security Monitor (NSM) tool was used to evaluate its capability by using scripts that simulated several attacks such as password cracking. However, the documentation focuses more on the capability of NSM and intrusion detection than on the test environment, and provides few insights into what was learned about constructing such environments.


Topic	IDS testing at IBM
Title	An Experimental Workbench for Intrusion Detection
Authors/date	H. Debar, M. Dacier, A. Wespi, S. Lampart., 1997
Affiliation	IBM, Zurich
Reference	http://www.zurich.ibm.com pub/sti/Security/extern/gsal/docs/
Discussion	This paper focuses on the design principles and implementation of a an experimental workbench for comparative evaluation of ID systems. "This workbench enables us to compare the respective efficiency of our prototypes in terms of, for example, false alarm rates."


Topic	IDS testing at the U.S. Air Force
Title	Testing and Evaluating Computer Intrusion Detection Systems
Authors/date	R. Durst, T Champion, B. Witten, E. Miller, L. Spagnuolo, 1999
Affiliation	SenCom Corp. and Air Force Research Laboratory
Reference	Communications of the ACM, July, 1999
Discussion	The paper describes the development of an IDS testbench and the resulting testing of three DARPA-funded ID systems (plus a GOTS IDS), and summarizes quantitative results. In preliminary conclusions it indicated, among other things, that signature-based detection was effective in reducing false alarm rates, but that string matching as implemented in most network-based systems has high false alarm rates and misses most kinds of attack. In conclusion the paper stated that "Recent major acquisitions totalling hundreds of millions of dollars for little more than ad-hoc security solutions indicate a desperate, indiscriminate need for computer security. If it sounds like panic, it may very well be."

IDS Vulnerabilities

Intrusion detection systems are themselves vulnerable to attack. Since knowledge of weaknesses is a prerequisite to knowing how to test ID systems, this section provides some relevant resource materials. In this section we identify four papers. These are listed in the following table.


Topic	IDS Vulnerabilities
Title	Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
Author/date	T. Ptacek, T. Newsham, 1998
Affiliation	Network Associates
Reference	http://www.clark.net
Title	50 Ways to Defeat your Intrusion Detection System
Author/date	F. Cohen, 1997
Affiliation	Fred Cohen & Associates
Reference	http://all.net/oldindex.html
Title	Defeating Sniffers and Intrusion Detection Systems
Author/date	Horizon, 1998
Affiliation	Phrack Magazine
Reference	http://pulhas.org/phrack/54/P54-10.html
Discussion	The first paper claims that "there is insufficient information available in packets read off the wire to correctly reconstruct what is occurring inside complex protocol transactions, and next, that ID systems are inherently vulnerable to denial of service attacks. The first of these problems reduces the accuracy of the system, and the second jeopardizes its availability." To back up their case, the authors describe a set of tests that were performed on four popular commercial products. The report indicates that "Every IDS we examined could be completely eluded by a savvy attacker." This detailed paper concludes with some concerns about the current state of testing: No credible public evaluation of network ID systems currently exist. The trade press evaluates security products by their features and ease of use, not their security. One issue that drastically impacted our ability to test ID systems was the availability of source code. If this work makes anything clear, it's that marketing claims cannot be a trusted source of information about ID systems. This second paper takes a semi-serious look (with serious implications) at the multitude of ways it is possible to elude an IDS. In the last paper a hacker describes how to defeat ID systems¾and provides the code to do it.

D.4 Research

The research category is divided into "methods" and "tools." This is a somewhat artificial distinction since much research is done through exploration with tools. However, the "methods" category covers research that does not result in any major research products (although some software may be developed). The research papers are, by definition, forward looking, but differ from the category below "IDS directions" by being more technically and exploration oriented. The "IDS directions" category addresses broader, more qualitative issues.

Methods

The "methods" category summarizes advanced work performed in the areas of neural networks, genetic algorithms, inductive rule generation, pattern recognition, and data fusion. There is a significant machine learning flavor to these more conceptual approaches, which have in common

the need to train the IDS using raw data (this will probably be audit data)

the need to provide the learning component of the IDS with guidance as to what is normal and is abnormal behavior

the fact that computer-generated decision rules may be opaque to human interpretation


Topic	Neural network applications
Title	A Survey of Intrusion Detection Techniques
Author/date	T. Lunt, 1993
Affiliation	SRI International
Reference	Computers & Security, 12, (1993) pp 405-418
Title	Typing your ID via AI
Author/date	L. Eliot, 1995
Affiliation	Eliot and Associates
Reference	AI Expert
Title	Neural Networks Applied in Intrusion Detection Systems
Author/date	J. Bonifácio Jr., A. Cansian, A. de Carvalho e E. Moreira, 1998
Affiliation	University of Sao Paulo
Reference	Published in the Proceedings of the IEEE World Congress on Computational Intelligence, WCCI'98, Anchorage, USA
Discussion	Neural networks can be trained to recognize patterns in data. It has therefore been suggested that neural networks be trained to recognize dynamic keystroke characteristics as a means of intrusion detection (see first two papers in this table). The approach is based on the assumption that each computer user has typing characteristics that are unique, cannot be easily duplicated by others, and whose signature does not change rapidly with time. Keystroke sequences are captured and analyzed for patterns that identify the individual. Lunt's paper only briefly refers to this application. Eliot's paper discusses the use of a multi-layered neural net to learn the timing patterns between input strokes, as explored by AT&T researchers. The third paper looks at training neural networks to recognize patterns of intrusion. Training was performed using attack patterns on different Internet services. The neural net was then used to detect similar attacks. For new patterns, the network was adoptively retrained. Preliminary results on test data indicated an average misclassification rate of five percent.


Topic	Genetic algorithm applications
Title	Genetic Algorithms, an Alternative Tool for Security Audit Trails Analysis
Author/date	L. Me, 1994
Affiliation	Université de Rennes
Reference	(http://www.supelec-rennes.fr)
Title	Active Defense of a Computer System Using Autonomous Agents
Author/date	M. Crosbie and G. Spafford, 1995
Affiliation	Purdue University
Reference	http://www.cs.purdue.edu
Discussion	Inspired by biological evolution, genetic algorithms are based on artificial genes (string structures) that carry messages of varying "fitness" to perform a task. Depending on their fitness (a measure that is predefined), more successful genes preferentially exchange their message sequences with other genes. The resulting new gene combinations are propagated to subsequent generations with resulting improvements to the gene pool. This technique has been investigated as a means to teach a set of artificial genes to recognize patterns of intrusion. Gene learning is performed off-line (i.e., the genes are defined using audit data) and then applied either in real time or in batch mode. The approach does have the advantage that the data drives the understanding of what constitutes intrusive behavior, rather than subjective human experience. However, the field is still immature and being explored; there are no operational tools yet available. See D. E. Goldberg, Genetic Algorithms in Search, Optimization and Machine Learning, Addison Wesley, 1989.


Topic	Rule induction applications
Title	Learning Patterns from UNIX Process Execution Traces for Intrusion Detection,
Author/date	W. Lee and S. Stalfo, 1997
Affiliation	Columbia University
Reference	AAAI Workshop: AI approaches to fraud detection and risk management, AAAI press
Title	Data Mining Approaches for Intrusion Detection
Author/date	W. Lee and S. Stolfo
Affiliation	Columbia University
References	http://www.cs.columbia.edu/~sal/hpapers/USENIX/usenix.html
Title	Security Audit Trail Analysis Using Inductively Generated Predictive Rules
Author/date	H Teng, K. Chen, and S. Lu, 1990
Affiliations	Digital Equipment Corp, University of Illinois
Reference	Proceedings of the Sixth Conference on Artificial Intelligence Applications
Discussion	Several research g