Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Intrusion detection system
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Development == The earliest preliminary IDS concept was delineated in 1980 by James Anderson at the [[National Security Agency]] and consisted of a set of tools intended to help administrators review audit trails.<ref>{{cite journal|access-date=2021-10-12|url-status=live|archive-url= https://web.archive.org/web/20190514033931/https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande80.pdf|archive-date=2019-05-14|url= https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande80.pdf|author=Anderson, James P.|title=Computer Security Threat Monitoring and Surveillance|location=Washington, PA, James P. Anderson Co.|website=csrc.nist.gov|date=1980-04-15}}</ref> User access logs, file access logs, and system event logs are examples of audit trails. [[Fred Cohen]] noted in 1987 that it is impossible to detect an intrusion in every case, and that the resources needed to detect intrusions grow with the amount of usage.<ref>{{cite journal |author1=David M. Chess |author2=Steve R. White |journal=Proceedings of Virus Bulletin Conference |title=An Undetectable Computer Virus |date=2000 |citeseerx=10.1.1.25.1508 }}</ref> [[Dorothy E. Denning]], assisted by [[Peter G. Neumann]], published a model of an IDS in 1986 that formed the basis for many systems today.<ref>Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119β131</ref> Her model used statistics for [[anomaly detection]], and resulted in an early IDS at [[SRI International]] named the Intrusion Detection Expert System (IDES), which ran on [[Sun Microsystems|Sun]] workstations and could consider both user and network level data.<ref>Lunt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings of the Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy, November 22β23, 1990, pages 110β121.</ref> IDES had a dual approach with a rule-based [[Expert System]] to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. The author of "IDES: An Intelligent System for Detecting Intruders", Teresa F. Lunt, proposed adding an [[artificial neural network]] as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).<ref>Lunt, Teresa F., "Detecting Intruders in Computer Systems," 1993 Conference on Auditing and Computer Technology, SRI International</ref> The [[Multics]] intrusion detection and alerting system (MIDAS), an expert system using P-BEST and [[Lisp (programming language)|Lisp]], was developed in 1988 based on the work of Denning and Neumann.<ref>Sebring, Michael M., and Whitehurst, R. Alan., "Expert Systems in Intrusion Detection: A Case Study," The 11th National Computer Security Conference, October, 1988</ref> Haystack was also developed in that year using statistics to reduce audit trails.<ref>Smaha, Stephen E., "Haystack: An Intrusion Detection System," The Fourth Aerospace Computer Security Applications Conference, Orlando, FL, December, 1988</ref> In 1986 the [[National Security Agency]] started an IDS research transfer program under [[Rebecca Bace]]. Bace later published the seminal text on the subject, ''Intrusion Detection'', in 2000.<ref>{{cite journal|last1=McGraw|first1=Gary|title=Silver Bullet Talks with Becky Bace|journal=IEEE Security & Privacy Magazine|date=May 2007|volume=5|issue=3|pages=6β9|doi=10.1109/MSP.2007.70|url=https://www.cigital.com/silver-bullet-files/shows/silverbullet-012-bbace.pdf|access-date=18 April 2017|archive-url=https://web.archive.org/web/20170419191922/https://www.cigital.com/silver-bullet-files/shows/silverbullet-012-bbace.pdf|archive-date=19 April 2017|url-status=dead}}</ref> Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the [[Los Alamos National Laboratory]].<ref>Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session Activity," The 1989 IEEE Symposium on Security and Privacy, May, 1989</ref> W&S created rules based on statistical analysis, and then used those rules for anomaly detection. In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in [[Common Lisp]] on a [[VAX]] 3500 computer.<ref>Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and Privacy</ref> The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.<ref>Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N., Mukherjee, Biswanath, Wood, Jeff, and Wolber, David, "A Network Security Monitor," 1990 Symposium on Research in Security and Privacy, Oakland, CA, pages 296β304</ref> The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.<ref>Winkeler, J.R., "A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks," The Thirteenth National Computer Security Conference, Washington, DC., pages 115β124, 1990</ref> ComputerWatch at [[AT&T Bell Labs]] used statistics and rules for audit data reduction and intrusion detection.<ref>Dowell, Cheri, and Ramstedt, Paul, "The ComputerWatch Data Reduction Tool," Proceedings of the 13th National Computer Security Conference, Washington, D.C., 1990</ref> Then, in 1991, researchers at the [[University of California, Davis]] created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system.<ref>Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel M. and Mansur, Doug, "DIDS (Distributed Intrusion Detection System) -- Motivation, Architecture, and An Early Prototype," The 14th National Computer Security Conference, October, 1991, pages 167β176.</ref> The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.<ref>Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., "A Phased Approach to Network Intrusion Detection," 14th National Computing Security Conference, 1991</ref> NADIR used a statistics-based anomaly detector and an expert system. The [[Lawrence Berkeley National Laboratory]] announced [[Bro (software)|Bro]] in 1998, which used its own rule language for packet analysis from [[libpcap]] data.<ref>Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time," Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998</ref> Network Flight Recorder (NFR) in 1999 also used libpcap.<ref>Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New Jersey, 1999, {{ISBN|0-9666700-7-8}}</ref> APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed [[Snort (software)|Snort]] one month later. Snort has since become the world's largest used IDS/IPS system with over 300,000 active users.<ref>Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr. Everett F. (Skip) Jr., Esler, Joel., Foster, James C., Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and IPS Toolkit," Syngress, 2007, {{ISBN|978-1-59749-099-3}}</ref> It can monitor both local systems, and remote capture points using the [[TZSP]] protocol. The Audit Data Analysis and Mining (ADAM) IDS in 2001 used [[tcpdump]] to build profiles of rules for classifications.<ref>Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, and Wu, Ningning, "ADAM: Detecting Intrusions by Data Mining," Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, June 5β6, 2001</ref> In 2003, [[Yongguang Zhang]] and Wenke Lee argue for the importance of IDS in networks with mobile nodes.<ref>Intrusion Detection Techniques for Mobile Wireless Networks, ACM WINET 2003 <http://www.cc.gatech.edu/~wenke/papers/winet03.pdf></ref> In 2015, Viegas and his colleagues <ref>{{Cite journal|last1=Viegas|first1=E.|last2=Santin|first2=A. O.|last3=Fran?a|first3=A.|last4=Jasinski|first4=R.|last5=Pedroni|first5=V. A.|last6=Oliveira|first6=L. S.|date=2017-01-01|title=Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems|journal=IEEE Transactions on Computers|volume=66|issue=1|pages=163β177|doi=10.1109/TC.2016.2560839|s2cid=20595406|issn=0018-9340}}</ref> proposed an anomaly-based intrusion detection engine, aiming System-on-Chip (SoC) for applications in Internet of Things (IoT), for instance. The proposal applies machine learning for anomaly detection, providing energy-efficiency to a Decision Tree, Naive-Bayes, and k-Nearest Neighbors classifiers implementation in an Atom CPU and its hardware-friendly implementation in a FPGA.<ref>{{Cite book|last1=FranΓ§a|first1=A. L.|last2=Jasinski|first2=R.|last3=Cemin|first3=P.|last4=Pedroni|first4=V. A.|last5=Santin|first5=A. O.|title=2015 IEEE International Symposium on Circuits and Systems (ISCAS) |chapter=The energy cost of network security: A hardware vs. Software comparison |date=2015-05-01|pages=81β84|doi=10.1109/ISCAS.2015.7168575|isbn=978-1-4799-8391-9|s2cid=6590312}}</ref><ref>{{Cite book|last1=FranΓ§a|first1=A. L. P. d|last2=Jasinski|first2=R. P.|last3=Pedroni|first3=V. A.|last4=Santin|first4=A. O.|title=2014 IEEE Computer Society Annual Symposium on VLSI |chapter=Moving Network Protection from Software to Hardware: An Energy Efficiency Analysis |date=2014-07-01|pages=456β461|doi=10.1109/ISVLSI.2014.89|isbn=978-1-4799-3765-3|s2cid=12284444}}</ref> In the literature, this was the first work that implement each classifier equivalently in software and hardware and measures its energy consumption on both. Additionally, it was the first time that was measured the energy consumption for extracting each features used to make the network packet classification, implemented in software and hardware.<ref>{{Cite web|url=https://secplab.ppgia.pucpr.br/files/papers/2016-1.pdf|title=Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems|website=SecPLab}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)