Integration of Next-Generation Intrusion Detection System/Event Monitoring Enabling Responses to Anomalous Live Disturbances (NIDES/EMERALD) Intrusion Detection Engines with the International Office of Standardization (ISO) Architecture
Final rept. Apr 98-Oct 2001
SRI INTERNATIONAL MENLO PARK CA
Pagination or Media Count:
This report describes the expert-system-based intrusion detection technologies developed in the EMERALD program, and the research and experimentation performed with those components. The forward-reasoning expert-system tool P-BEST, which has been used to build signature-analysis engines for IDES, NIDES and now EMERALD, is described in detail. We show how data from network traffic interception, from host operating system audit trails, and from critical applications can be analyzed by P-BEST-based applications for real-time intrusion detection. The host-based and network-based intrusion detection monitors that we built have participated in various evaluations and experiments, confirming their detection capabilities and general applicability. We conclude that EMERALDs expert-system approach to misuse detection is well suited for the complex event analysis needed for wide attack coverage and near-zero false alarm rates.
- Computer Programming and Software
- Miscellaneous Detection and Detectors