A phased approach to network intrusion detection

This paper describes the design and development of a prototype intrusion detection system for the Los Alamos National Laboratory's Integrated Computing Network (ICN). The development of this system is based on three basic assumptions: (1) that statistical analysis of computer system and user activates may be used to characterize normal system and user behavior, and that given the resulting statistical profiles, behavior which deviates beyond certain bounds can be detected, (2) that expert system techniques can be applied to security auditing and intrusion detection, and (3) that successful intrusion detection may take place while monitoring a limited set of network activities. The Network Anomaly Detection and Intrusion Reporter (NADIR) design intent was to duplicate and improve the audit record review activities which had previously been undertaken by security personnel, to replace the manual review of audit logs with a near realtime expert system.