GrIDS Requirements Document
Domain of usefulness
The Graph-based Intrusion Detection System (GrIDS) will run on Unix
hosts connected by IP networks using common physical network
technologies (ethernet, FDDI, point-to-point links). It may detect
network activity from non-Unix hosts, but will not detect activity
on them. It should be usable and useful on networks ranging in size
from "small" (one LAN with a few machines) up to "large" (a
campus-wide network with several thousand hosts and several
hundred IP subnets). The network will be assumed to belong to a
single organization. The organization may consist of a number of
departments which have some autonomy, but which are not actively
hostile to each other.
The GrIDS output should provide an interface facility for one or
several SSOs who are possibly responsible for different parts of the
network.
State of delivery
It should be possible to install and configure the delivered system
in a basic mode with an effort taking a few days for a small system
and about a month for a large system.
Functionality
GrIDS will be capable of performing the following tasks.
Incorporate reports of single host attacks
GrIDS shall provide an interface to incorporate by use of
appropriate filters the conclusions of single host IDS systems
which may be running. Most of the semantic content of the other
system's alerts should be preserved.
Detect network attacks
GrIDS will be able, by default, to detect large scale
doorknob rattling activity, and the spread of worms. GrIDS will
detect other patterns of attack which the user specifies.
Detect violations of a network access policy
GrIDS will allow the SSO to specify a policy regarding
which network objects can be accessed by which network
subjects, and report violations of the policy.