IDEA: A new intrusion detection data source

William Mahoney; William Sousan

IDEA: A new intrusion detection data source

William Mahoney, William Sousan

Cybersecurity

Research output: Contribution to journal › Article › peer-review

Abstract

In the context of computer systems, an intrusion is generally considered to be a harmful endeavor to prevent others from legitimate use of that system, to obtain data which is not normally available to the intruder, or to plant data or disrupt data already existent on the machines. Traditionally intrusion detection has relied on two data sources: various log files which record user's activity, and network traffic which contains potential threats. This research presents a system which we call IDEA; the Intrusion DEtection Automata system. We utilize a third source of data for intrusion detection in the form of an instrumented process. Open source software is recompiled using a modified compiler we have created, and the resulting executable program generates the data as it runs. An external monitoring facility then checks the behavior of the program against known good execution paths. These paths are specified either using a domain specific language and hand-written rules, or by running the software in a learning mode and capturing the normal behavior for later comparison.

Original language	English (US)
Pages (from-to)	17-24
Number of pages	8
Journal	International Journal of Security and its Applications
Volume	2
Issue number	3
State	Published - 2008

ASJC Scopus subject areas

General Computer Science

Cite this

@article{2d677f33f02246cc96c1a57762de2893,

title = "IDEA: A new intrusion detection data source",

abstract = "In the context of computer systems, an intrusion is generally considered to be a harmful endeavor to prevent others from legitimate use of that system, to obtain data which is not normally available to the intruder, or to plant data or disrupt data already existent on the machines. Traditionally intrusion detection has relied on two data sources: various log files which record user's activity, and network traffic which contains potential threats. This research presents a system which we call IDEA; the Intrusion DEtection Automata system. We utilize a third source of data for intrusion detection in the form of an instrumented process. Open source software is recompiled using a modified compiler we have created, and the resulting executable program generates the data as it runs. An external monitoring facility then checks the behavior of the program against known good execution paths. These paths are specified either using a domain specific language and hand-written rules, or by running the software in a learning mode and capturing the normal behavior for later comparison.",

author = "William Mahoney and William Sousan",

year = "2008",

language = "English (US)",

volume = "2",

pages = "17--24",

journal = "International Journal of Security and its Applications",

issn = "1738-9976",

publisher = "Science and Engineering Research Support Society",

number = "3",

}

TY - JOUR

T1 - IDEA

T2 - A new intrusion detection data source

AU - Mahoney, William

AU - Sousan, William

PY - 2008

Y1 - 2008

N2 - In the context of computer systems, an intrusion is generally considered to be a harmful endeavor to prevent others from legitimate use of that system, to obtain data which is not normally available to the intruder, or to plant data or disrupt data already existent on the machines. Traditionally intrusion detection has relied on two data sources: various log files which record user's activity, and network traffic which contains potential threats. This research presents a system which we call IDEA; the Intrusion DEtection Automata system. We utilize a third source of data for intrusion detection in the form of an instrumented process. Open source software is recompiled using a modified compiler we have created, and the resulting executable program generates the data as it runs. An external monitoring facility then checks the behavior of the program against known good execution paths. These paths are specified either using a domain specific language and hand-written rules, or by running the software in a learning mode and capturing the normal behavior for later comparison.

AB - In the context of computer systems, an intrusion is generally considered to be a harmful endeavor to prevent others from legitimate use of that system, to obtain data which is not normally available to the intruder, or to plant data or disrupt data already existent on the machines. Traditionally intrusion detection has relied on two data sources: various log files which record user's activity, and network traffic which contains potential threats. This research presents a system which we call IDEA; the Intrusion DEtection Automata system. We utilize a third source of data for intrusion detection in the form of an instrumented process. Open source software is recompiled using a modified compiler we have created, and the resulting executable program generates the data as it runs. An external monitoring facility then checks the behavior of the program against known good execution paths. These paths are specified either using a domain specific language and hand-written rules, or by running the software in a learning mode and capturing the normal behavior for later comparison.

UR - http://www.scopus.com/inward/record.url?scp=84858229227&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84858229227&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:84858229227

SN - 1738-9976

VL - 2

SP - 17

EP - 24

JO - International Journal of Security and its Applications

JF - International Journal of Security and its Applications

IS - 3

ER -

IDEA: A new intrusion detection data source

Abstract

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this