Classical Intrusion Detection Systems and Log-File Checkers

In this section, I would like to concentrate on the class of systems considered by users as "classical" intrusion detection systems.

Historical Overview

James P. Anderson was the first researcher to suggest the use of log files to ensure information security. This was in 1980, when the U.S. Navy adopted his concept, known as "Reference Monitor."

From 1984 to 1986, Dorothy Denning and Peter Neumann developed an abstract model of the real-time intrusion detection system known as IDES (Intrusion Detection Expert System). In 1987, Dorothy Denning published a document describing the use of intrusion detection systems to ensure information security. Like many other scientific research projects, this work was conducted in the laboratories of the U.S. Department of Defense (in this particular case, in the U.S. Navy's Space and Naval Warfare Systems Command). The IDES system was based on profiles and implemented various statistical methods enabling the description of normal and anomalous behavior by system objects (these were, for the most part, users). The IDES system ran on TOPS-20 computers. During the period from 1992 to 1994, the SRI International laboratory developed an enhanced version of this system, known as NIDES (Next-generation IDES).

In 1986, IBM specialists designed the Discovery expert system, intended for detecting problems in the TRW financial database. The Discovery system was based on the IBM 3090 and the COBOL programming language. The design goal of this system was to control daily financial transactions and detect unauthorized payments. To be more precise, this system related more to fraud detection systems than to intrusion detection.

In 1988, the US Air Force Cryptologic Support center sponsored the development and implementation of the Haystack anomaly detection system. The research project and system implementation were initiated by Tracor Applied Sciences, Inc. (1987--1989). Haystack Labs (1989--1991) continued the research work before being transferred to the Trusted Information Systems and Network Associates companies. The Haystack system supported the IBM AT platform and was implemented using the ANSI C programming language and Oracle DBMS. This was one of the first systems to be oriented toward PCs.

The MIDAS (Multics Intrusion Detection and Alerting System) was developed in 1988 by employees of the National Computer Security Center (NCSC) to detect anomalies in the Dockmaster network run by the center. This network was based on the Multics operating system on a Honeywell DPS 8/70 platform. Like all previous systems, MIDAS used statistical methods to provide the ability to detect anomalous behavior of system objects based on the records stored in log files. MIDAS was the first intrusion detection system that controlled hosts connected to the Internet. Because of this, it was able to detect external attacks.

In 1990, the National Los Alamos Laboratory developed the NADIR system (Network Audit Detector and Intrusion Reporter) intended for controlling the activities of a user connected to the ICN (Integrated Computing Network). This system ran on Sun Unix hosts and used the Sybase DBMS to support its functions. NADIR is one of the few tools developed in the late 1980s and early 1990s that still remains in use.

A new concept in intrusion detection systems was presented in 1990, along with the release of the NSM (Network Security Monitor) system, currently known as Network Intrusion Detector (NID). In contrast to its predecessors that used log files, this concept suggested using network traffic to detect unauthorized activities. The NSM system was developed in UC Davis and run on Sun UNIX workstations.

In 1991, the DIDS (Distributed Intrusion Detection System) was released. It was able to obtain data from several intrusion detection systems, in order to detect coordinated attacks directed at several network hosts. The main advantage of the DIDS system lies in the fact that it allows the simultaneous collection of data both from agents that control system log files and from agents that register network traffic. The research work required to implement this system was sponsored by the U.S. Navy, the National Security Agency (NSA) and the U.S. Department of Energy. Among project participants were the U.S. Air force Cryptologic Support center, the Lawrence Livermore Laboratory, UC Davis and the Haystack laboratory.

In 1994, Mark Crosbie and Gene Spafford introduced the idea of autonomous agents, which enabled them to enhance the following characteristics of intrusion detection systems:

• Scalability

• Efficiency

• Fault-tolerance

Another approach that simplified the scaling of the intrusion detection systems was introduced in 1996, in the form of the GrIDS (Graph-based Intrusion Detection System). This system simplifies the actions required to detect large-scaled, coordinated attacks. Like many other above-mentioned intrusion detection systems, the GrIDS system was developed at UC Davis.

In the late 1990s, there appeared a large number of new approaches to intrusion detection that differed from the classic ones existing at the time. These approaches include genetic algorithms and neural networks for detecting security policy violations. Currently, these approaches have exceeded the range of research works. For example, the work of James Cannady in the field of neural networks has created the possibility of significantly increasing the probability of detecting unknown attacks using the Real-Secure Network Sensor system.

The examples provided above are of principal importance for intrusion detection. These tools, developed as part of scientific research projects, were later used as prototypes for popular commercial intrusion detection products, such as RealSecure and Cisco IDS 4200.