Daemon News 199905 : Intrusion Detection Systems

Intrusion Detection Systems

Copyright © 1999 Panagiotis Astithas

Imagine it's a cold and wet December day. You are sitting in front of your workstation, running some routine checks on your network. Your work as a network and systems administrator for a large corporation, requires that you perform these checks every day, in order to safeguard the operation of the company's computer network. The day has been quiet so far, and as you can see, the only persons currently logged in the main sever are you and the head of the IT Department. Suspecting that he may be monitoring the zealousness of your work, you fire up dozens of processes just to seem busy, hoping that xtetris will go unnoticed. Suddenly, you get an intrusion alert! Your Intrusion Detection System (IDS) has noticed suspicious behavior from the user logged in as your boss. Apparently he has tried to FTP a password file from a government site. You make a phone call to clear things up and it turns out that your boss is in Tahiti, attending an important business conference. Convinced that you are dealing with an intruder, you examine your audit logs and your boss' session profiles, and come to the conclusion that the imposter is a company employee and is connected from a terminal a few cubicles away. You catch him in the act, he gets fired and you get a free trip to Tahiti to receive your boss' congratulations in person.

To some of us, this may sound a little bit like (computer) science fiction, but the fact is that Intrusion Detection Systems are considered one of the hottest research topics today. Furthermore, this technology is already mature enough to be used in commercial products, and is gaining widespread recognition as an important tool to improve the security of a computer network. Everyone agrees that the need for security improvements in the operation of a computer system is very pressing indeed. The proliferation of applications such as Electronic Commerce and the increasingly important role that computer networks, such as the Internet play in today's world, have pushed the search for more secure systems to the forefront of computer science research. Intrusion Detection is a new approach, which tries to detect attempts to penetrate into a system, rather than prevent them from occurring. It is based on the assumption that it is practically impossible to avoid every security breach in the long run, and emphasizes instead the need to identify, preferably in real time, such attempts and to assess the damage they have caused. This alternative approach has been investigated mostly in the last decade, and a brief examination of the historical developments in this field, could provide us with a better insight into the motivation behind it.

A little history

In 1980, James Anderson first proposed that audit trails should be used to monitor threats. The importance of such data had not been comprehended at that time and all the available system security procedures were focused on denying access to sensitive data from an unauthorized source. In 1987, Dorothy Denning presented an abstract model of an Intrusion Detection System. This paper was the first to propose the concept of intrusion detection as a solution to the problem of providing a sense of security in computer systems. It was more of a retrofit approach, in comparison to the traditional proactive methods of encryption and access control. In 1988, the Internet worm (also known as the Morris worm) caused the Internet to be unavailable for about five days. This incident brought the need for computer security into the spotlight. The same year Teresa Lunt et al. refined the intrusion detection model proposed by Denning and created IDES (Intrusion Detection Expert System). This system was designed to detect intrusion attempts against a single host. An improved version was developed in 1995, called NIDES (Next-generation Intrusion Detection Expert System). Also in 1988, the Haystack system was developed in order to assist Air Force Security Officers detect misuse of the mainframes used at Air Force Bases, and MIDAS (Multics Intrusion Detection and Alerting System) was created for the same reasons, but for the National Computer Security Center's Multics mainframe. In 1989, we had Wisdom and Sense from the Los Alamos National Laboratory, and Information Security Officer's Assistant (ISOA) from Planning Research Corporation. A new concept was introduced in 1990, with NSM (Network Security Monitor, now called Network Intrusion Detector or NID): instead of examining the audit trails of a host computer system, suspicious behavior was detected by passively monitoring the network traffic in a LAN. In 1991, a different idea was introduced with NADIR (Network Anomaly Detection and Intrusion Reporter) and DIDS (Distributed Intrusion Detection System): the audit data from multiple hosts were collected and aggregated in order to detect coordinated attacks against a set of hosts. In 1994, Mark Crosbie and Gene Spafford suggested the use of autonomous agents in order to improve the scalability, maintainability, efficiency and fault tolerance of an IDS. This idea fit well with the ongoing research on software agents in other areas of computer science. Another approach to address the scalability deficiencies in most contemporary intrusion detection systems was proposed in 1996, with the design and implementation of GrIDS. This system facilitates the detection of large-scale automated or coordinated attacks, which may even span multiple administrative domains. In 1998, Ross Anderson and Abida Khattak offered an innovative approach to intrusion detection, by incorporating informational retrieval techniques into intrusion detection tools. And as the research in the field continues, we see that this paradigm is proposed as an answer to the security requirements of other technological areas, such as mobile networks. But how exactly do these systems work?

Modus operandi

There are two main classifications of intrusion detection systems. The first one divides the techniques of intrusion detection into two main types: anomaly and misuse detection. The anomaly detection model devises a set of statistical metrics that model the behavior of an entity, usually a user, a group of users or a host computer. The profile of a user entity for instance, may include information such as the mean duration of his telnet and FTP sessions, the amount of bytes transmitted in both directions, the time of day or the terminals he usually logs-in from, etc. The profile of a host computer may include the average CPU utilization, the average number of logged-in users, and so on. The IDS monitors the operation of a computer system, and constantly compares the profile of say, a current user session, with the one stored in its database. In case it detects a "large" deviation from the normal behavior it signals an alarm to the system security officer. The magnitude of a "large" deviation is defined as a threshold set by the IDS or the system security officer. Usually the stored profiles are constantly being updated in order to reflect changes in user or system behavior. Since this model works by searching for sessions that are not normal, it is called an anomaly detection model.

The misuse detection model on the other hand, works by searching for a set of known attacks that have been stored in the system's database. The knowledge of the attacks is encoded as a set of attack signatures, which are essentially patterns that occur every time an attack takes place. The way a known attack is represented to the system is an important characteristic of its operation. The variations include various types of graphs, regular expressions, etc. The way this model works is similar to that of an anti-virus program. The implementation of such an IDS usually involves an expert system that performs the matching against the stored rule-base. An obvious difficulty in this architecture is the need for constant updating of the rule-base, as new attack methods become known. Since the model operates by searching for patterns known to represent security attacks, it is referred to as a misuse detection model.

The second classification is based on whether the IDS monitors activity on a single host or on multiple hosts interconnected by a network. The original intrusion detection systems used to examine the audit data on a single machine and derive their conclusions based solely on that information. Consequently, they could not detect attacks that were orchestrated by many sources, or attacks that span multiple machines in a network. Furthermore, they rely heavily on the logs provided by the underlying operating system, which renders them architecture-dependent and more vulnerable to Denial of Service attacks against the IDS, since an intruder may manage to delay the logging mechanism, or even turn it off altogether. An efficient solution is provided by the IDS that passively monitor the network for suspicious activity. Since they depend solely on the ubiquitous TCP/IP protocol suite, they are literally architecture-independent and they can monitor heterogeneous networks quite naturally. And with the current trend towards global internetworking, almost every security attack involves more or less the network. Another issue faced by most architectures today is scalability. Monolithic or distributed IDS that collect the audit data and transmit it to a central host for processing are incapable of operating in a large enterprise network, with a vast number of hosts. The solution to this problem involves the construction of the IDS through a layered architecture. Every node in that model operates by aggregating the audit data it receives from the lower layers and passing a summarized form to the upper layer. Thus, the actual detection of an intrusion can occur on any layer, with the simpler ones occurring at a lower layer and the advanced ones at a higher layer.

IDS products

Besides the intrusion detection systems presented above, that have made significant contributions to the ongoing research in the field, there are some other commercial or free products that deserve our attention. For those who are interested, a more in-depth analysis of these products can be found elsewhere.

ISS RealSecure by Internet Security Systems is probably the most well known intrusion detection system in the market. Its operation is similar to the Network Security Monitor mentioned earlier: it is connected to the network and listens to all the traffic passing through, searching for matches against the patterns it is configured to look for. It can monitor TCP, UDP and ICMP traffic, and in case a match is found countermeasures can be implemented. The announced bundling of the product with CheckPoint's Firewall-1 should become one of the best-selling security products in the market.

CyberCop by Network Associates is another product that follows the NSM paradigm. Its operation follows that of ISS RealSecure in the detection level, but its architecture is a more distributed one. The system is composed of a number of sensors that are scattered among the network nodes and a management server that collects intrusion reports sent by the sensors. In case an intrusion is detected the management server presents an elaborate but concise description of the event to the security manager, who can deal with the problem. CyberCop has the advantage to be backed by one of the largest companies in software business today and especially in the field of security.

Bro is an IDS developed at the Lawrence Berkley National Laboratory. Its source code is freely available and the architecture on which it is based is a modular one. The event engine is separated from the policy script interpreter, which dictates the policy implemented through a proprietary language. The event engine is designed to be capable of monitoring network connections of more than 100 Mbps, indicating that performance has been emphasized throughout its design.

NID is another freely available IDS. It is installed on a dedicated system from where it monitors network traffic. It searches for known attack signatures, as well as deviations from normal behavior inside the network. In case an intrusion is detected the security manager is notified.

Standardization efforts

Despite the fact that intrusion detection systems have not been around for a long time, there have already been efforts to standardize the design of an IDS and perhaps more importantly, the way systems from different vendors interoperate. The first such effort has been the design of the Common Intrusion Detection Framework (CIDF). As the members of the group put it, "the Common Intrusion Detection Framework is an effort to develop protocols and application programming interfaces so that Intrusion Detection research projects can interoperate, and so that components of them can be reused in other systems". This effort has been followed by the formation of the Intrusion Detection Working Group (IDWG) from IETF, with the task to provide a common way of intercommunication between IDS of different vendors. The IDWG is currently in the process of finalizing a set of requirements, that will be submitted to the IETF as an Internet Draft later on.

Conclusions

It must be clear after this brief tour in the field of intrusion detection, that this relatively new approach to the issue of security in computer systems has a lot of potential in it. It is based on a pretty reasonable assumption, that no matter how well we configure our firewalls and set up our systems, we cannot be certain that an intrusion will never take place. Therefore, it is of great importance for a security officer to be able to detect an intrusion attempt, preferably while it is happening. But even in the case the detection is achieved when the attack has already occurred, it is usually desirable to be able to identify the guilty party and make an assessment of the damage he made. Furthermore, in case the victim decides to take legal action against the intruder, the event analysis provided by an intrusion detection system will prove invaluable.

As long as the academic community can put more effort into solving the problems that still remain, intrusion detection systems will become as ubiquitous as firewalls are today.

References

[1] James P. Anderson, "Computer Security Threat Monitoring and Surveillance", Technical report, James P. Anderson Co., Fort Washington, PA., April 1980.

[2] Dorothy E. Denning, "An intrusion-detection model", IEEE Transactions on Software Engineering, vol. SE-13, pp. 222-232, February 1987.

[3] M. Eichin, J. Rochis, "With microscope and tweezers: An analysis of the Internet worm of November 1988", IEEE Symposium on Research in Security and Privacy, 1989.

[4] Teresa Lunt et al., "IDES: The enhanced prototype", Technical report, SRI International, Computer Science Lab, October 1988.

[5] D. Anderson, T. Frivold, A. Valdes, "Next-generation intrusion detection expert system (NIDES)", Technical report, SRI-CSL-95-07, SRI International, Computer Science Lab, May 1995.

[6] S. E. Smaha, "Haystack: An Intrusion Detection System", Proceedings of the IEEE Fourth Aerospace Computer Security Applications Conference, Orlando, FL., December 1988.

[7] M Sebring et al., "Expert systems in intrusion detection: A case study", Proceedings of the 11th National Computer Security Conference, Baltimore, MD., October 1988.

[8] H. S. Vaccaro, G. E. Liepins, "Detection of anomalous computer session activity", Proceedings of the 1989 Symposium on Research in Security and Privacy, Oakland, CA., May 1989.

[9] J. R. Winkler, W. J. Page, "Intrusion and Anomaly Detection in Trusted Systems", Proceedings of the Fifth Annual Computer Security Applications Conference, Tucson, AZ., December 1989.

[10] L. T. Heberlein et al., "A network security monitor", Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA., May 1990.

[11] K. Jackson, D. DuBois, C. Stallings, "An expert system application for network intrusion detection", Proceedings of the 14th Department of Energy Computer Security Group Conference, 1991.

[12] S. R. Snapp et al., "A system for distributed intrusion detection", Proceedings of the IEEE COMPCON 91, San Francisco, CA., February 1991.

[13] Mark Crosbie, Gene Spafford, "Defending a Computer System using Autonomous Agents", Technical report No. 95-022, COAST Laboratory, Department of Computer Sciences, Purdue University, March 1994.

[14] S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, "GrIDS -- A Graph-Based Intrusion Detection System for Large Networks", The 19th National Information Systems Security Conference, Baltimore, MD., October 1996.

[15] Ross Anderson, Abida Khattak, "The Use of Information Retrieval Techniques for Intrusion Detection", Proceedings of RAID '98, Louvain-la-Neuve, Belgium, September 1998.

[16] Didier Samfat, Refik Molva, "IDAMN: An Intrusion Detection Architecture for Mobile Networks", IEEE Journal on Selected Areas in Communications, vol. 15, No. 7, September 1997.

[17] Biswanath Mukherjee, L. Todd Heberlein, Karl N. Levitt, "Network Intrusion Detection", IEEE Network, May/June 1994.

[18] Dario Forte, "Intrusion detection systems", ;login:, vol. 24, No. 1, February 1999.

	Intrusion Detection Systems Copyright © 1999 Panagiotis Astithas Imagine it's a cold and wet December day. You are sitting in front of your workstation, running some routine checks on your network. Your work as a network and systems administrator for a large corporation, requires that you perform these checks every day, in order to safeguard the operation of the company's computer network. The day has been quiet so far, and as you can see, the only persons currently logged in the main sever are you and the head of the IT Department. Suspecting that he may be monitoring the zealousness of your work, you fire up dozens of processes just to seem busy, hoping that xtetris will go unnoticed. Suddenly, you get an intrusion alert! Your Intrusion Detection System (IDS) has noticed suspicious behavior from the user logged in as your boss. Apparently he has tried to FTP a password file from a government site. You make a phone call to clear things up and it turns out that your boss is in Tahiti, attending an important business conference. Convinced that you are dealing with an intruder, you examine your audit logs and your boss' session profiles, and come to the conclusion that the imposter is a company employee and is connected from a terminal a few cubicles away. You catch him in the act, he gets fired and you get a free trip to Tahiti to receive your boss' congratulations in person. To some of us, this may sound a little bit like (computer) science fiction, but the fact is that Intrusion Detection Systems are considered one of the hottest research topics today. Furthermore, this technology is already mature enough to be used in commercial products, and is gaining widespread recognition as an important tool to improve the security of a computer network. Everyone agrees that the need for security improvements in the operation of a computer system is very pressing indeed. The proliferation of applications such as Electronic Commerce and the increasingly important role that computer networks, such as the Internet play in today's world, have pushed the search for more secure systems to the forefront of computer science research. Intrusion Detection is a new approach, which tries to detect attempts to penetrate into a system, rather than prevent them from occurring. It is based on the assumption that it is practically impossible to avoid every security breach in the long run, and emphasizes instead the need to identify, preferably in real time, such attempts and to assess the damage they have caused. This alternative approach has been investigated mostly in the last decade, and a brief examination of the historical developments in this field, could provide us with a better insight into the motivation behind it. A little history In 1980, James Anderson first proposed that audit trails should be used to monitor threats. The importance of such data had not been comprehended at that time and all the available system security procedures were focused on denying access to sensitive data from an unauthorized source. In 1987, Dorothy Denning presented an abstract model of an Intrusion Detection System. This paper was the first to propose the concept of intrusion detection as a solution to the problem of providing a sense of security in computer systems. It was more of a retrofit approach, in comparison to the traditional proactive methods of encryption and access control. In 1988, the Internet worm (also known as the Morris worm) caused the Internet to be unavailable for about five days. This incident brought the need for computer security into the spotlight. The same year Teresa Lunt et al. refined the intrusion detection model proposed by Denning and created IDES (Intrusion Detection Expert System). This system was designed to detect intrusion attempts against a single host. An improved version was developed in 1995, called NIDES (Next-generation Intrusion Detection Expert System). Also in 1988, the Haystack system was developed in order to assist Air Force Security Officers detect misuse of the mainframes used at Air Force Bases, and MIDAS (Multics Intrusion Detection and Alerting System) was created for the same reasons, but for the National Computer Security Center's Multics mainframe. In 1989, we had Wisdom and Sense from the Los Alamos National Laboratory, and Information Security Officer's Assistant (ISOA) from Planning Research Corporation. A new concept was introduced in 1990, with NSM (Network Security Monitor, now called Network Intrusion Detector or NID): instead of examining the audit trails of a host computer system, suspicious behavior was detected by passively monitoring the network traffic in a LAN. In 1991, a different idea was introduced with NADIR (Network Anomaly Detection and Intrusion Reporter) and DIDS (Distributed Intrusion Detection System): the audit data from multiple hosts were collected and aggregated in order to detect coordinated attacks against a set of hosts. In 1994, Mark Crosbie and Gene Spafford suggested the use of autonomous agents in order to improve the scalability, maintainability, efficiency and fault tolerance of an IDS. This idea fit well with the ongoing research on software agents in other areas of computer science. Another approach to address the scalability deficiencies in most contemporary intrusion detection systems was proposed in 1996, with the design and implementation of GrIDS. This system facilitates the detection of large-scale automated or coordinated attacks, which may even span multiple administrative domains. In 1998, Ross Anderson and Abida Khattak offered an innovative approach to intrusion detection, by incorporating informational retrieval techniques into intrusion detection tools. And as the research in the field continues, we see that this paradigm is proposed as an answer to the security requirements of other technological areas, such as mobile networks. But how exactly do these systems work? Modus operandi There are two main classifications of intrusion detection systems. The first one divides the techniques of intrusion detection into two main types: anomaly and misuse detection. The anomaly detection model devises a set of statistical metrics that model the behavior of an entity, usually a user, a group of users or a host computer. The profile of a user entity for instance, may include information such as the mean duration of his telnet and FTP sessions, the amount of bytes transmitted in both directions, the time of day or the terminals he usually logs-in from, etc. The profile of a host computer may include the average CPU utilization, the average number of logged-in users, and so on. The IDS monitors the operation of a computer system, and constantly compares the profile of say, a current user session, with the one stored in its database. In case it detects a "large" deviation from the normal behavior it signals an alarm to the system security officer. The magnitude of a "large" deviation is defined as a threshold set by the IDS or the system security officer. Usually the stored profiles are constantly being updated in order to reflect changes in user or system behavior. Since this model works by searching for sessions that are not normal, it is called an anomaly detection model. The misuse detection model on the other hand, works by searching for a set of known attacks that have been stored in the system's database. The knowledge of the attacks is encoded as a set of attack signatures, which are essentially patterns that occur every time an attack takes place. The way a known attack is represented to the system is an important characteristic of its operation. The variations include various types of graphs, regular expressions, etc. The way this model works is similar to that of an anti-virus program. The implementation of such an IDS usually involves an expert system that performs the matching against the stored rule-base. An obvious difficulty in this architecture is the need for constant updating of the rule-base, as new attack methods become known. Since the model operates by searching for patterns known to represent security attacks, it is referred to as a misuse detection model. The second classification is based on whether the IDS monitors activity on a single host or on multiple hosts interconnected by a network. The original intrusion detection systems used to examine the audit data on a single machine and derive their conclusions based solely on that information. Consequently, they could not detect attacks that were orchestrated by many sources, or attacks that span multiple machines in a network. Furthermore, they rely heavily on the logs provided by the underlying operating system, which renders them architecture-dependent and more vulnerable to Denial of Service attacks against the IDS, since an intruder may manage to delay the logging mechanism, or even turn it off altogether. An efficient solution is provided by the IDS that passively monitor the network for suspicious activity. Since they depend solely on the ubiquitous TCP/IP protocol suite, they are literally architecture-independent and they can monitor heterogeneous networks quite naturally. And with the current trend towards global internetworking, almost every security attack involves more or less the network. Another issue faced by most architectures today is scalability. Monolithic or distributed IDS that collect the audit data and transmit it to a central host for processing are incapable of operating in a large enterprise network, with a vast number of hosts. The solution to this problem involves the construction of the IDS through a layered architecture. Every node in that model operates by aggregating the audit data it receives from the lower layers and passing a summarized form to the upper layer. Thus, the actual detection of an intrusion can occur on any layer, with the simpler ones occurring at a lower layer and the advanced ones at a higher layer. IDS products Besides the intrusion detection systems presented above, that have made significant contributions to the ongoing research in the field, there are some other commercial or free products that deserve our attention. For those who are interested, a more in-depth analysis of these products can be found elsewhere. ISS RealSecure by Internet Security Systems is probably the most well known intrusion detection system in the market. Its operation is similar to the Network Security Monitor mentioned earlier: it is connected to the network and listens to all the traffic passing through, searching for matches against the patterns it is configured to look for. It can monitor TCP, UDP and ICMP traffic, and in case a match is found countermeasures can be implemented. The announced bundling of the product with CheckPoint's Firewall-1 should become one of the best-selling security products in the market. CyberCop by Network Associates is another product that follows the NSM paradigm. Its operation follows that of ISS RealSecure in the detection level, but its architecture is a more distributed one. The system is composed of a number of sensors that are scattered among the network nodes and a management server that collects intrusion reports sent by the sensors. In case an intrusion is detected the management server presents an elaborate but concise description of the event to the security manager, who can deal with the problem. CyberCop has the advantage to be backed by one of the largest companies in software business today and especially in the field of security. Bro is an IDS developed at the Lawrence Berkley National Laboratory. Its source code is freely available and the architecture on which it is based is a modular one. The event engine is separated from the policy script interpreter, which dictates the policy implemented through a proprietary language. The event engine is designed to be capable of monitoring network connections of more than 100 Mbps, indicating that performance has been emphasized throughout its design. NID is another freely available IDS. It is installed on a dedicated system from where it monitors network traffic. It searches for known attack signatures, as well as deviations from normal behavior inside the network. In case an intrusion is detected the security manager is notified. Standardization efforts Despite the fact that intrusion detection systems have not been around for a long time, there have already been efforts to standardize the design of an IDS and perhaps more importantly, the way systems from different vendors interoperate. The first such effort has been the design of the Common Intrusion Detection Framework (CIDF). As the members of the group put it, "the Common Intrusion Detection Framework is an effort to develop protocols and application programming interfaces so that Intrusion Detection research projects can interoperate, and so that components of them can be reused in other systems". This effort has been followed by the formation of the Intrusion Detection Working Group (IDWG) from IETF, with the task to provide a common way of intercommunication between IDS of different vendors. The IDWG is currently in the process of finalizing a set of requirements, that will be submitted to the IETF as an Internet Draft later on. Conclusions It must be clear after this brief tour in the field of intrusion detection, that this relatively new approach to the issue of security in computer systems has a lot of potential in it. It is based on a pretty reasonable assumption, that no matter how well we configure our firewalls and set up our systems, we cannot be certain that an intrusion will never take place. Therefore, it is of great importance for a security officer to be able to detect an intrusion attempt, preferably while it is happening. But even in the case the detection is achieved when the attack has already occurred, it is usually desirable to be able to identify the guilty party and make an assessment of the damage he made. Furthermore, in case the victim decides to take legal action against the intruder, the event analysis provided by an intrusion detection system will prove invaluable. As long as the academic community can put more effort into solving the problems that still remain, intrusion detection systems will become as ubiquitous as firewalls are today. References [1] James P. Anderson, "Computer Security Threat Monitoring and Surveillance", Technical report, James P. Anderson Co., Fort Washington, PA., April 1980. [2] Dorothy E. Denning, "An intrusion-detection model", IEEE Transactions on Software Engineering, vol. SE-13, pp. 222-232, February 1987. [3] M. Eichin, J. Rochis, "With microscope and tweezers: An analysis of the Internet worm of November 1988", IEEE Symposium on Research in Security and Privacy, 1989. [4] Teresa Lunt et al., "IDES: The enhanced prototype", Technical report, SRI International, Computer Science Lab, October 1988. [5] D. Anderson, T. Frivold, A. Valdes, "Next-generation intrusion detection expert system (NIDES)", Technical report, SRI-CSL-95-07, SRI International, Computer Science Lab, May 1995. [6] S. E. Smaha, "Haystack: An Intrusion Detection System", Proceedings of the IEEE Fourth Aerospace Computer Security Applications Conference, Orlando, FL., December 1988. [7] M Sebring et al., "Expert systems in intrusion detection: A case study", Proceedings of the 11th National Computer Security Conference, Baltimore, MD., October 1988. [8] H. S. Vaccaro, G. E. Liepins, "Detection of anomalous computer session activity", Proceedings of the 1989 Symposium on Research in Security and Privacy, Oakland, CA., May 1989. [9] J. R. Winkler, W. J. Page, "Intrusion and Anomaly Detection in Trusted Systems", Proceedings of the Fifth Annual Computer Security Applications Conference, Tucson, AZ., December 1989. [10] L. T. Heberlein et al., "A network security monitor", Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA., May 1990. [11] K. Jackson, D. DuBois, C. Stallings, "An expert system application for network intrusion detection", Proceedings of the 14th Department of Energy Computer Security Group Conference, 1991. [12] S. R. Snapp et al., "A system for distributed intrusion detection", Proceedings of the IEEE COMPCON 91, San Francisco, CA., February 1991. [13] Mark Crosbie, Gene Spafford, "Defending a Computer System using Autonomous Agents", Technical report No. 95-022, COAST Laboratory, Department of Computer Sciences, Purdue University, March 1994. [14] S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, "GrIDS -- A Graph-Based Intrusion Detection System for Large Networks", The 19th National Information Systems Security Conference, Baltimore, MD., October 1996. [15] Ross Anderson, Abida Khattak, "The Use of Information Retrieval Techniques for Intrusion Detection", Proceedings of RAID '98, Louvain-la-Neuve, Belgium, September 1998. [16] Didier Samfat, Refik Molva, "IDAMN: An Intrusion Detection Architecture for Mobile Networks", IEEE Journal on Selected Areas in Communications, vol. 15, No. 7, September 1997. [17] Biswanath Mukherjee, L. Todd Heberlein, Karl N. Levitt, "Network Intrusion Detection", IEEE Network, May/June 1994. [18] Dario Forte, "Intrusion detection systems", ;login:, vol. 24, No. 1, February 1999. Panagiotis Astithas, past@netmode.ntua.gr