Graph-based Intrusion Detection System

Graph-based Intrusion Detection System (GrIDS)

Overview

GrIDS is designed to detect large-scale automated attacks on networked systems. The mechanism that we propose is to build activity graphs which approximately represent the causal structure of large scale distributed activities.

The nodes of an activity graph correspond to hosts in a system, while edges in the graph correspond to network activity between those hosts. Activity in a monitored network causes graphs representing that activity to be built. These graphs are then compared against known patterns of intrusive or hostile activities, and if they look similar a warning (or perhaps a reaction) is generated.

The GrIDS project is part of UC Davis's Intrusion Detection for Large Networks project, which is funded by ARPA.

Additional Information

GrIDS Requirements Document
GrIDS Design Document
GrIDS Design report (DRAFT) [postscript, pdf]
GrIDS Design report (FINAL) [postscript, pdf]

Papers

NISSC 96 paper outlining the GrIDS design.

Presentations

PI meeting, Savannah, GA, Feb 25-27, 1997. [postscript, pdf]