Intrusion Detection for Large Networks
Overview
The purpose of this project is to develop intrusion detection technology
for wide area networks. We are attempting to push the state of the art
in two directions.
- Size - we wish to handle thousands or tens of thousands of hosts, rather
than the hundreds currently possible.
- Protection of infrastructure - we wish to protect routers, domain name
service, etc, rather than just general purpose hosts.
Additional goals of the project include inter-operability with network
management technology (especially SNMP), independence of particular operating
systems, and extensibility to new network components and services.
We aim to deliver ideas and a prototype system. As we move forward in
the project, we will increasingly be seeking commercial partners to spin
off our technology to.
This project is sponsored by ARPA,
and we are under the supervision of Teresa Lunt and Mike St Johns.
Status
We are half way through our funded period. We have researched most of
the underlying problems and developed new solutions to several of them.
We are now actively working to integrate our various efforts into a coherent
system.
Contacts
Research Projects
- Privileged Programs: we have a specification
based approach to detecting attacks on these.
- Thumbprinting: this is a technology
for tracing intruders over the network.
- Routers and Domain Name System: we propose
a detection-diagnosis-recovery approach for protecting routers and a formal
intrusion-detection approach for protecting domain name systems.
- Communications Infrastructure: we
are developing a distributed system to tie our components (and those of others)
together.
- GrIDS project: we are using graph representations
of network activity to detect abuse.
- LaSCO : this is a language to specify policies.
Personnel
Principal Investigators
Staff
Students
Internal Documents
These
have access restricted so that we can share crazy ideas amongst ourselves
without worrying what the world thinks.
Stuart Staniford-Chen
5/2/97