10.13 Advanced IDSs

Metalearning IDSs have been developed at Columbia University. Metalearning integrates a number of different classifiers. This type of IDS benefits from a multilayered approach in which machine learning and decision procedures detect intrusions locally. The University of California at Santa Barbara has developed model-based IDSs to detect suspicious state transitions. The system uses penetration scenarios as a sequence of actions and keeps track of interesting state changes as it attempts to identify attacks in progress, before damage is done.

The University of California at Davis has developed three types of IDS. One uses graphics to detect intrusions whose activity spans many machines that could be difficult to detect locally. This IDS specifies intrusion scenarios via graphs of actions covering many machines. The graphs provide an intuitive visual display. UC-Davis has also developed a specification-based IDS that detects departures from the security specifications of privileged programs, allowing detection of unanticipated attacks. Lastly, UC-Davis developed a thumbprint-technique IDS that can match and track the path of system users.

In private industry, GTE has developed an IDS that detects anomalous events for telephone service provider networks. This type of IDS is designed for integration into network operation centers; it uses existing systems and tools for data collection, as well as anomaly detection and specific signaling protocols to perform its "sanity checks."

Bellcore has also developed a survivable active networks (SAN) IDS that will allow highly configurable network elements to cooperate with networked hosts to detect, isolate, and recover quickly and automatically from damage due to errors or malicious attacks. This IDS will allow suspect activity to be "peeled off" the system, while continuing to operate in a micro environment.

Boeing has developed an IDS with an automated response that integrates firewall, intrusion detection, filtering router, and network-management technologies. This IDS uses local intrusion detectors to determine threat presence, with the firewalls communicating intrusion detection information to each other. In this scheme, firewalls cooperate to locate a foreign intruder. This allows network managers to reconfigure the network automatically to thwart the attack. Firewalls and filtering routers dynamically alter filtering rules to block the intruder, allowing for dynamic reconfiguration of logging, monitoring, and access control in response to detected suspicious activity. This IDS uses different detectors to monitor and adapt a response to an attack.