G.W. Rice and T.E. Daniels (USA)
Intrusion detection, event correlation
The purpose of this work is to improve intrusion detection techniques by developing a more general framework and infrastructure for detecting system penetrations through new event correlation strategies. Unlike traditional misuse and anomaly detection architectures, we propose a novel approach where information is gathered at multiple layers within the computing system and analyzed according to a specified behavior pattern. By gathering event data at the application, system, and network layers within a system, we describe a new approach to intrusion detection that departs from previous work in specification-based and kernel-layer intrusion detection systems. Using this approach, events intercepted at each layer within the intrusion detection system hierarchy can be correlated to their consequential effects within adjoining layers. By examining how events relate across several adjacent layers within the computing system, future intrusion detection systems may gain the ability to not only detect deviant program activity outside the specified security profile for a system but also generate alerts for more complex attacks that generate inconsistent events between adjoining layers.
Important Links:
Go Back
