Ongoing
-
Application Intrusion Detection Systems: The Next Step
| Start Date | June 1999 |
| Funding | Defense Advanced Research Projects Agency (DARPA) grant F30602-99-1-0538 |
| People |
Robert S. Sielken Anita K. Jones |
| Papers | Click here |
| Presentations | Click here |
| Concept |
Operating system intrusion detection systems (OS IDS) are frequently insufficient to catch internal intruders who neither significantly deviate from expected behavior nor perform a sequence of specific intrusive actions. We hypothesize that application intrusion detection systems (AppIDS) can use application semantics to detect more subtle attacks such as those carried out by internal intruders who possess legitimate access to the system and act within their bounds of normal behavior, but who are actually abusing the system. (Full Abstract) |
Completed
-
The Pseudo-Internal Intruder: A New Access Oriented Intruder Category
| Start Date | December 1997 |
| Completion Date | May 1999 |
| Funding | Computer Science Department |
| People | Brownell K. Combs |
| Papers | Click here |
| Presentations | Click here |
| Concept |
Since 1980, the intrusion detection community has divided intruders into two categories (internal and external) based on the intruder's access to a system.
The proliferation of distributed systems with complex networks has necessitated a reexamination of intruder definitions.
We define a new category, the pseudo-internal intruder. This new category encompasses intruders without user accounts who circumvent the perimeter defenses of a modern distributed system and attack the system via its network. Having a pseudo-internal category is useful because it gives the intrusion detection community a framework in which to clearly describe the capabilities of, defend against, and develop techniques for detecting the pseudo-internal intruder. (Full Abstract) |
Application Intrusion Detection
| Start Date | December 1997 |
| Completion Date | May 1999 |
| Funding | Computer Science Department Virginia Transportation Research Council |
| People | Robert S. Sielken |
| Papers | Click here |
| Presentations | Click here |
| Concept |
Intrusion detection has traditionally been performed at the operating system (OS) level, but
OS intrusion detection systems (IDS) are frequently insufficient to catch internal intruders.
We hypothesized that application specific IDS (AppIDS) could use the semantics of the application to detect more subtle, stealth-like attacks such as those carried out by internal intruders.
We developed two extensive case studies to explore what opportunities exist for detecting intrusions at the application level, how effectively an AppIDS can detect the intrusions, and the possibility of cooperation between an AppIDS and an OS IDS to detect intrusions.
The main conclusion was that an AppIDS can detect some intrusions that an OS IDS cannot thus increasing the overall effectiveness in detecting intrusions.
(Full Abstract) |
Last Modified: January 18, 2000