Application Intrusion Detection Systems: The Next Step   Submitted to ACM Transactions on Information and System Security, August 1999 Robert S. Sielken Anita K. Jones   ABSTRACT   Operating system intrusion detection systems (OS IDS) are frequently insufficient to catch internal intruders who neither significantly deviate from expected behavior nor perform a sequence of specific intrusive actions. We hypothesize that application intrusion detection systems (AppIDS) can use application semantics to detect more subtle attacks such as those carried out by internal intruders who possess legitimate access to the system and act within their bounds of normal behavior, but who are actually abusing the system. To test this hypothesis, we developed two extensive case studies from which we were able to discern some similarities and differences between the OS IDS and AppIDS. In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be set for the AppIDS' relations that differentiate normal and anomalous behavior thereby improving the overall effectiveness of the IDS. The Pseudo-Internal Intruder: A New Access Oriented Intruder Category   Master of Science, May 1999 Brownell Kerr Combs   ABSTRACT   Intruders attack both commercial and federal distributed systems frequently, and often successfully. The problem of intruders has become critical. The most effective defense today is the use of intrusion detection systems, because it is widely considered to be impossible to build complicated distributed systems that completely prevent unauthorized intrusions. Since 1980 the intrusion detection community has divided intruders into two categories based on the intruder's access to a system. Internal intruders have legitimate access through user accounts; external intruders break into a system without benefit of a user account.   The proliferation of distributed systems with complex networks has necessitated a reexamination of intruder definitions. When the notion of internal and external intruders was defined, systems were largely stand-alone computers - typically contained in a single area sometimes with remote peripherals. Today computers are part of networked, distributed systems that may span multiple buildings sometimes located thousands of miles apart. The network of such a system is a pathway for communication between the computers in the distributed system. The network is also a pathway for intrusion.   We define a new category, the pseudo-internal intruder. This new category encompasses intruders without user accounts who circumvent the perimeter defenses of a modern distributed system and attack the system via its network. In contrast, external intruders attack a system from the outside through a system's perimeter defenses. Having a pseudo-internal category is useful because it gives the intrusion detection community a framework in which to clearly describe the capabilities of the pseudo-internal intruder, defend against the pseudo-internal intruder, and develop techniques for detecting the pseudo-internal intruder. Full Text (Word97)     Application Intrusion Detection   Master of Computer Science, May 1999 Robert Selby Sielken   ABSTRACT   Intrusion detection has traditionally been performed at the operating system (OS) level by comparing expected and observed system resource usage. OS intrusion detection systems (OS IDS) can only detect intruders, internal or external, who perform specific system actions in a specific sequence or those intruders whose behavior pattern statistically varies from a norm. Internal intruders are said to comprise at least fifty percent of intruders [ODS99], but OS intrusion detection systems are frequently not sufficient to catch such intruders since they neither significantly deviate from expected behavior, nor perform the specific intrusive actions because they are already legitimate users of the system.   We hypothesize that application specific intrusion detection systems can use the semantics of the application to detect more subtle, stealth-like attacks such as those carried out by internal intruders who possess legitimate access to the system and its data and act within their bounds of normal behavior, but who are actually abusing the system. To test this hypothesis, we developed two extensive case studies to explore what opportunities exist for detecting intrusions at the application level, how effectively an application intrusion detection system (AppIDS) can detect the intrusions, and the possibility of cooperation between an AppIDS and an OS IDS to detect intrusions. From the case studies, we were able to discern some similarities and differences between the OS IDS and AppIDS. In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be set for the AppIDS' relations that differentiate normal and anomalous behavior thereby improving the overall effectiveness of the IDS.   We also investigated the possibility of cooperation between an OS IDS and an AppIDS. From this exploration, we developed a high-level bi-directional communication interface in which one IDS could request information from the other IDS, which could respond accordingly. Finally, we explored a possible structure of an AppIDS to determine which components were generic enough to use for multiple AppIDS. Along with these generic components, we also explored possible tools to assist in the creation of an AppIDS. Full Text (Word97) CS Dept. Technical Report (PostScript) Last Modified: January 18, 2000