did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781402076244

Intrusion Detection in Distributed Systems

by ; ; ;
  • ISBN13:

    9781402076244

  • ISBN10:

    140207624X

  • Format: Hardcover
  • Copyright: 2003-10-01
  • Publisher: Kluwer Academic Pub
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $64.99

Summary

Intrusion detection systems (IDS) are usually deployed along with other preventive security mechanisms, such as access control and authentication, as a second line of defense that protects information systems. Intrusion detection complements the protective mechanisms to improve the system security. Moreover, even if the preventive security mechanisms can protect information systems successfully, it is still desirable to know what intrusions have happened or are happening, so that the users can understand the security threats and risks and thus be better prepared for future attacks. Intrusion detection techniques are traditionally categorized into two classes: anomaly detection and misuse detection. Anomaly detection is based on the normal behavior of a subject (e.g., user or a system); any action that significantly deviates from the normal behavior is considered intrusive. Misuse detection catches intrusions in terms of characteristics of known attacks or system vulnerabilities; any action that conforms to the pattern of known attack or vulnerability is considered intrusive. Alternatively, IDS may be classified into host-based IDSs, distributed IDSs, and network based IDSs according to the source of the audit information used by each IDS. Host-based IDSs get audit data from host audit trails and usually aim at detecting attacks against a single host; distributed IDSs gather audit data from multiple hosts and possibly the network and connects the hosts, aiming at detecting attacks involving multiple hosts; network-based IDSs use network traffic as the audit data source, relieving the burden on the hosts that usually provide normal computing services. Intrusion Detection In Distributed Systems: An Abstraction-Based Approach presents research contributions in three areas with respect to intrusion detection in distributed systems. The first contribution is an abstraction-based approach to addressing heterogeneity and autonomy of distributed environments. The second contribution is a formal framework for modeling requests among cooperative IDSs and its application to Common Intrusion Detection Framework (CIDF). The third contribution is a novel approach to coordinating different IDSs for distributed event correlation. Intrusion Detection In Distributed Systems: An Abstraction-Based Approach is designed for a professional audience, composed of researchers and practitioners in industry. This book is also suitable as a secondary text for graduate-level students in computer science and electrical engineering.

Author Biography

Dr. Sushil Jajodia is Professor and Chairman of the Dept. of Information and Software Engineering, and Director of the Center for Secure Information Systems at the George Mason University, Fairfax, Virginia, USA

Table of Contents

Dedication v
List of Figures xi
List of Tables xiii
Preface xv
Acknowledgments xvii
1. INTRODUCTION 1(6)
1 Computer Security and Intrusion Detection
1(1)
2 Intrusion Detection in Distributed Systems
2(2)
3 Summary of Contributions
4(1)
4 Organization
5(2)
2. AN OVERVIEW OF RELATED RESEARCH 7(6)
3. SYSTEM VIEW AND EVENT HISTORY 13(6)
1 System View and Event History
14(5)
1.1 Qualitative Temporal Relationships between Events
17(2)
4. MODELING REQUEST AMONG COOPERATING INTRUSION DETECTION SYSTEMS 19(18)
1 Query
20(6)
1.1 Query Result
24(2)
2 Scaling to Large and Heterogeneous Environments
26(6)
2.1 Expected View and Provided View
26(2)
2.2 Mismatch and Mismatch Resolution
28(4)
3 Discussion
32(5)
3.1 Comparison with Alternative Approaches
32(1)
3.2 Relationship with Signature-based Intrusion Detection
33(1)
3.3 Implementation Issues
34(3)
5. EXTENDING COMMON INTRUSION DETECTION FRAMEWORK (CIDF) TO SUPPORT QUERIES 37(18)
1 Background
38(3)
1.1 Common Intrusion Specification Language
39(2)
2 A Query Facility for CIDF
41(13)
2.1 S-Patterns
41(6)
2.2 Format of Returning Message
47(3)
2.3 An Example - Tracing Suspicious Users
50(4)
3 Impact on CIDF
54(1)
6. A HIERARCHICAL MODEL FOR DISTRIBUTED ATTACKS 55(16)
1 Misuse Signature
56(6)
2 Defining System Views Using Signatures: A Hierarchical Model
62(6)
3 Discussion
68(3)
3.1 Extensions to ARMD
68(1)
3.2 Generic and Specific Signatures
68(1)
3.3 Clock Discrepancy
69(2)
7. DECENTRALIZED DETECTION OF DISTRIBUTED ATTACKS 71(20)
1 Serializable Signatures
71(2)
2 Detection Task and Workflow Tree
73(6)
3 Execution of Detection Tasks
79(5)
4 Optimization
84(2)
5 Generating Workflow Tree
86(5)
5.1 A Heuristic Approach
86(5)
8. CARDS: AN EXPERIMENTAL SYSTEM FOR DETECTING DISTRIBUTED ATTACKS 91(20)
1 CARDS Architecture
91(3)
1.1 Signature Manager
91(2)
1.2 Monitor
93(1)
1.3 Directory Service
94(1)
2 System Design Issues
94(7)
2.1 Internal Languages
95(1)
2.2 Specific Signature Generation
96(3)
2.3 Specific Signature Decomposition
99(2)
3 Prototype Implementation
101(12)
3.1 Directory Service and DirHelper
101(1)
3.2 Signature Manager
102(1)
3.3 Monitor
103(4)
3.4 Limitations
107(4)
9. CONCLUSION 111(2)
Appendices 113(14)
A Document Type Definitions (DTDs) Used in CARDS
113(4)
1 The DTD for System Views
113(1)
2 The DTD for Signatures
113(2)
3 The DTD for Detection Tasks
115(2)
B Sample System Views, Signatures and Detection Tasks in CARDS
117(10)
1 System Views
117(1)
1.1 The System View DOSAttacks
117(1)
1.2 The System View LocalTCPConn
118(1)
2 The Generic Signature for the Mitnick Attack
118(2)
3 One Specific Signature for the Mitnick Attack
120(2)
4 The Detection Tasks for the Specific Signature of the Mitnick Attack
122(5)
4.1 Detection Task n1
122(1)
4.2 Detection Task n2
123(1)
4.3 Detection Task n3
124(3)
References 127(8)
Index 135

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program