State of the Art in Anomaly Detection and Reaction
MITRE CORP BEDFORD MA
Pagination or Media Count:
This paper presents a view of the state of the art in anomaly detection and reaction ADR technology. The paper develops the view from six sources three prior reports two national, one MITRE, a survey of commercially available software, a survey of government software, and a survey of government-funded research projects. ADR encompasses the automated capabilities that can detect or find anomalies in computer systems, report them in useful ways, remove discovered anomalies, and repair damage they may have caused. Included in this scope of interest are traditional intrusion detection and reaction tools. The broader scope of anomaly detection and reaction also includes vulnerability scanners, infraction scanners, and security compliance monitors. These tools protect not only against intruders but against errors and carelessness in administration and operation of end systems and network components. This synopsis draws on the following sources of information 1 the National Info-Sec Technical Baseline report on intrusion detection and response 2 the description of the state of the art in network-based intrusion detection systems in a report of Hill and Aguirre 3 the report of the Intrusion Detection Subgroup of the National Security Telecommunications Advisory Committee on the implications of intrusion detection technology research and development on national security and emergency preparedness 4 product descriptions of commercial off-the-shelf COTS and government off-the-shelf GOTS ADR systems and 5 descriptions of current research in anomaly detection and reaction. Tables show intrusion detection tools by product type and architecture, provide commentary on issues in ADR, present the main thrust of numerous research efforts in ADR, and provide a condensation of the state of the art in ADR.
- Computer Programming and Software
- Computer Systems Management and Standards
- Unconventional Warfare