An expert system application for network intrusion detection
The paper describes the design of a prototype intrusion detection system for the Los Alamos National Laboratory's Integrated Computing Network (ICN). The Network Anomaly Detection and Intrusion Reporter (NADIR) differs in one respect from most intrusion detection systems. It tries to address the intrusion detection problem on a network, as opposed to a single operating system. NADIR design intent was to copy and improve the audit record review activities normally done by security auditors. We wished to replace the manual review of audit logs with a near realtime expert system. NADIR compares network activity, as summarized in user profiles, against expert rules that define network security policy, improper or suspicious network activities, and normal network and user activity. When it detects deviant (anomalous) behavior, NADIR alerts operators in near realtime, and provides tools to aid in the investigation of the anomalous event. 15 refs., 2 figs.
- Research Organization:
- Los Alamos National Lab., NM (United States)
- Sponsoring Organization:
- DOE; USDOE, Washington, DC (United States)
- DOE Contract Number:
- W-7405-ENG-36
- OSTI ID:
- 5386779
- Report Number(s):
- LA-UR-91-558; CONF-911059--1; ON: DE91008590
- Country of Publication:
- United States
- Language:
- English
Similar Records
NADIR: A prototype system for detecting network and file system abuse
A phased approach to network intrusion detection