This project explores novel techniques for performing intrusion
detection by using low-level components that are called
internal
sensors and
embedded detectors.
Goal of the Project
To show that it is possible to build reliable, effective and efficient
intrusion detection systems using low-level components built into the
systems they are designed to monitor.
What are Sensors and Detectors?
An internal sensor is a piece of code built into a program that
monitors a specific variable or condition of that program. The program
in question could be the Unix kernel, a system utility, or a
high-level application. By being built into the program that it is
monitoring, an internal sensor can perform
direct monitoring
on the system, which allows it to obtain information that is reliable
(very difficult to modify, either by accident or by a malicious
attack) and near real-time (obtained almost at the moment it is
generated).
An embedded detector is a piece of code built into a program that
looks for specific signs of specific attacks or intrusions. An
embedded detector bases its decisions on an internal sensor, either
explicitly (when the sensor is clearly differentiable from the
detector) or implicitly (when the sensor is part of the detector, this
is usually the case when the checks are very simple).
Research Papers and Documentation
The following documents describe the project and its concepts in much
more detail.
- Diego Zamboni.
Using Internal Sensors for Computer Intrusion Detection (Postscript, PDF).
Ph.D. Thesis, Purdue University, August 2001.
- Florian Kerschbaum, Eugene H. Spafford, and Diego Zamboni.
Using embedded sensors for detecting network attacks (Postscript, PDF).
In Deborah Frincke and Dimitris Gritzalis, editors,
Proceedings of the 1st ACM Workshop on Intrusion Detection
Systems. ACM SIGSAC, November 2000.
- Eugene H. Spafford and Diego Zamboni.
Design and implementation issues for embedded sensors in
intrusion detection (Postscript, PDF).
Presented at the Third International Workshop on Recent
Advances in Intrusion Detection (RAID2000), October 2000.
- Diego Zamboni.
Doing intrusion detection using embedded sensors --
thesis proposal (Postscript, PDF).
CERIAS Technical Report 2000-21, CERIAS, Purdue University,
West Lafayette, IN, October 2000.
- Eugene Spafford and Diego Zamboni.
Data collection mechanisms for intrusion detection systems
(Postscript, PDF).
CERIAS Technical Report 2000-08, CERIAS, Purdue University,
1315 Recitation Building, West Lafayette, IN, June 2000.
- Florian Kerschbaum, Eugene H. Spafford, and Diego Zamboni.
Embedded sensors and detectors for intrusion detection.
Journal of Computer Security 10 (2002) 23–70
IOS Press.
Project Posters and Handouts
These posters and handouts are used to provide information about our
project at research symposia, meetings, and colloquia. The poster has
an eye-catching graphic and brief information about the project. The
handouts provide some additional details and references.
-
5th Annual Information Security Symposium (March 23-24, 2004)
-
Energizing the Enterprise: Cyber Security in Context
-
4th Annual CERIAS Research Symposium (April 8-9, 2003)
-
Cyber Security & Safety for the 21st Century
Implementation Information
The initial research was completed as part of Diego Zamboni's Ph.D. work
with valuable contributions from Jim Early and Florian Kerschbaum. The
initial prototype was built using
OpenBSD
as the operating system platform.
We are in the process of porting the research prototype to
FreeBSD, improving the ESP
framework and logging/reporting mechanism, and implementing additional
sensors and detectors. The implementation will be freely available
once it is in a more complete stage.
Current Members of the Project Group
- Eugene Spafford, Executive Director
CERIAS.
- Keith Watson, research engineer.
- Mahesh Babu, undergraduate student.
- Sarika Agarwal, graduate student.
- Tae Hoon Kim, undergraduate student.
- Chris Kois, undergraduate student.
- Ali Kumcu, graduate student.
Former Members of the Project Group
- Dan Aiello, graduate student (graduated May 2003).
- Mike Dulaney, undergraduate student.
- Jim Early, graduate student.
- Erin Johnson, undergraduate student.
- Florian Kerschbaum, graduate student.
- Blake Matheny, undergraduate student.
- Scott Tengalia, undergraduate student (graduated May 2003).
- Diego Zamboni, graduate student (graduated August 2001).
Internal Project Documentation