GrIDS Requirements Document


Domain of usefulness

The Graph-based Intrusion Detection System (GrIDS) will run on Unix hosts connected by IP networks using common physical network technologies (ethernet, FDDI, point-to-point links). It may detect network activity from non-Unix hosts, but will not detect activity on them. It should be usable and useful on networks ranging in size from "small" (one LAN with a few machines) up to "large" (a campus-wide network with several thousand hosts and several hundred IP subnets). The network will be assumed to belong to a single organization. The organization may consist of a number of departments which have some autonomy, but which are not actively hostile to each other.

The GrIDS output should provide an interface facility for one or several SSOs who are possibly responsible for different parts of the network.


State of delivery

It should be possible to install and configure the delivered system in a basic mode with an effort taking a few days for a small system and about a month for a large system.

Functionality

GrIDS will be capable of performing the following tasks.

Incorporate reports of single host attacks

GrIDS shall provide an interface to incorporate by use of appropriate filters the conclusions of single host IDS systems which may be running. Most of the semantic content of the other system's alerts should be preserved.

Detect network attacks

GrIDS will be able, by default, to detect large scale doorknob rattling activity, and the spread of worms. GrIDS will detect other patterns of attack which the user specifies.

Detect violations of a network access policy

GrIDS will allow the SSO to specify a policy regarding which network objects can be accessed by which network subjects, and report violations of the policy.