Researchers take "Intrution detection" to a much more dynamic level

Professor Gihan V. Dias of the Department of Computer Science and Engineering , University of Moratuwa, has been involved in the development of a prototype of DIDS(Distributed Intrusion Detection Systems); an architecture to minimize intrusion attacks on computer systems addressing the much neglected Network-user Identification problem, which is concerned with tracking a user moving across the network,possibly with a new user-id on each computer.

Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The increased connectivity of computer systems gives greater access to outsiders, and makes it easier for intruders to avoid detection.

 IDS’s are based on the belief that an intruder’s behavior will be noticeably different from that of a legitimate user. In the new design, the researches have come up with a unique prototype which combines distributed monitoring and data reduction (through individual host and LAN monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous network of computers.

Initial system prototypes have provided quite favorable results on this problem and the detection of attacks on a network.

The paper is published on the topic by Steven R. Snapp, James Brentano, Gihan V. Dias, Terrance L. Goan, L. Todd Heberlein, Che-Lin Ho, Karl N. Levitt, Biswanath Mukherjee, Stephen E. Smaha, Tim Grance, Daniel M. Teal, and Doug Mansur provides an overview of the motivation behind DIDS, the system architecture and capabilities, and a discussion of the early prototype.

Moreover, the research had considered the different types of Intruding patterns commonly followed and how each method can be detected properly and flagged. The researchers have considered different scenarios:The doorknob attack is where the intruder’s goal is to discover, and gain access to, insufficiently-protected hosts on a system. The intruder generally tries a few common account and password combinations on each of a number of computers. These attacks ,given the simplicity has high success rates.

Even if the behavior is recognized as an attack on the individual host, current IDS’s are generally unable to correlate reports from multiple hosts; thus they cannot recognize the doorknob attack as such. Because DIDS aggregates and correlates data from multiple hosts and the network, it is in a position to recognize the doorknob attack by detecting the pattern of repeated failed logins even though there may be too few on a single host to alert that host’s monitor.

An intruder gaining access to a computer using a guest account which does not require a password, can also be given as another scenario. Once the attacker had access to the system, he exhibited behavior which would have alerted most existing IDS’s (e.g., changing passwords and failed events). In an incident such as this, DIDS would not only report the attack, but may also be able to identify the source of the attack.

Network browsing, is a  scenario presenting a key challenge for DIDS: the tradeoff  between sending all audit records to the director versus missing attacks because thresholds on each host are not exceeded.

In addition to the specific scenarios ,a number of general ways that an intruder can use the connectivity of the network to hide his trail and to enhance his effectiveness , including the chain and parallel attacks are combated by DIDS using the very same connectivity to help track and detect the intruder.

The DIDS architecture combines distributed monitoring and data reduction with centralized data analysis.

This approach is unique among current IDS’s.

This Distributed Intrusion Detection System (DIDS) is being developed to address the shortcomings of current single host IDS’s by generalizing the target environment to multiple hosts connected via a network (LAN). Most current IDS’s do not consider the impact of the LAN structure when attempting to monitor user behavior for attacks against the system. Intrusion detection systems designed for a network environment will become increasingly important as the number and size of LAN’s increase. The prototype has demonstrated the viability of the researched distributed architecture in solving the network-user identification problem. The system has been tested on a sub-network of Sun SPARC stations and it has correctly identified network users in a variety of scenarios. Work continues on the design, development, and refinement of rules, particularly those which can take advantage of knowledge about particular kinds of attacks. The initial prototype expert system has been written in Prolog, but it is currently being ported to CLIPS due to the latter’s superior performance characteristics and easy integration with the C programming language. Further research is being carried out to extend the model to a hierarchical Wide Area Network environment.


University of Moratuwa, a leading technological university in the region welcomes you to witness a truly unique experience!

Contact Us

  • Tel: +94 112650301 +94 112650188
  • Fax: +94112650622
  • Email: info AT