A Distributed Scalable Intrusion Detection System for Rapid Detection of Insider Attacks
Small Business Information
28119 Ridgefern Court, Rancho Palos Verdes, CA, 90275
AbstractRapid response, minimal false alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. The ultimate goal of this effort is to develop an integrated general framework for rapid detection ofinsider attacks for simultaneous defense of information systems on all required levels, which range from small local sub-networks to global distributed enterprise networks. In Phase I, the feasibility of our approach to rapid detection of internal attackswas demonstrated. In Phase II, we will further develop, implement, and test advanced statistical methods for defense against cyber-terrorism in high-speed computer networks. Powerful statistical techniques, such as adaptive change-point detection methods,hidden Markov models, and statistical learning, will be exploited in order to develop an optimized global distributed intrusion detection system that overcomes the major drawbacks and limitations of current detection systems. This system will have anadaptive, re-configurable structure that utilizes auto-tuning and auto-selection procedures for optimal configuration, reducing susceptibility to changes in environment. We will use collected data to tune and to optimize the detection system and to testthe prototype using state-of-the-art testbeds. Prototype software will be delivered and demonstrated at the end of Phase II.This effort will develop robust, mathematically rigorous, and, in certain senses, statistically optimal defense techniques. Thedevelopment will be carried out in a generic way so that these methods can be readily adapted to any insider intrusion defense implementation. As a result, this work will significantly increase the likelihood that an effective defense system will bedeveloped. We anticipate that this system, which is based on the advanced change-point detection method, will offer crucial improvements, specifically increased detection probability for unknown attacks, lower false alarm rates, and lower detection times,when compared to existing systems. We also anticipate that the distributed, scalable configuration will offer further improvements in overall performance in terms of lowering false alarm rates and increasing detection capabilities at high data rates.The successful completion of this program will result in the commercialization of the most advanced algorithm available for rapid detection of attacks in government, commercial and enterprise networks. The developed intrusion detection software will beparticularly effective in protecting these networks against insider threats. The complete software package can also be used by financial institutions in order to increase the security of their existing networks.
* information listed above is at the time of submission.