Scalable Intrusion Detection System for Rapid Global Detection of Network Attacks
Small Business Information
27 Via Porto Grande, Rancho Palos Verdes, CA, 90275
AbstractCurrent ultra highspeed networks carry massive aggregate data ¿ows that must be monitored and processed to detect and counteract intrusions. The problem is further compounded by the sheer number and complexity of attacks. As a result, the challenges of intrusion detection in ultra-high-speed networks are outstripping our ability to detect, track, fuse, and interpret them. This project will develop a distributed anomaly-based intrusion detection system, consisting of sensing nodes for local (e.g., host level) detection and fusion nodes to combine the output from the sensing nodes. Advanced statistical methods will be used to identify hidden patterns and to optimize the operating characteristics of the intrusion detection system. In Phase I, a novel detection system, which detects attacks with minimal delays for a given (low) false alarm rate at extremely high data rates, was developed. An adaptive parallel architecture allowed for an efficient auto-selection of the best possible configuration under existing conditions, thereby reducing susceptibility to a changing environment. The algorithms were evaluated using asymptotic analysis, Monte Carlo experiments, and deployment in a testbed. Phase II will: (1) develop statistical methods for an efficient, anomaly-based local detector with a low false alarm rate, as well as a hybrid anomaly-signature local detector with profiling capability; (2) develop an architecture for the distributed deployment of detectors, along with fusion algorithms to combine outputs for network-level detections; (3) design and implement sensor and fusion nodes using commercial-off-the-shelf technologies; and (4) develop a laboratory testbed to support implementation and testing. Commercial Applications and other Benefits as described by the awardee: The new intrusion detection system should be of particular relevance to DOE networks that support large-scale science applications. Advantages over existing systems include an increased probability of detecting unknown attacks, and a lower false alarm rate and detection time
* information listed above is at the time of submission.