Welcome to the ids mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "majordomo@wyrm.cc.uow.edu.au" with the following command in the body of your email message: unsubscribe ids idsnews@msr.epm.ornl.gov Here's the general information for the list you've subscribed to, in case you don't already have it: [Last updated on: Sat Mar 25 3:23:02 1995] + ================================================ + || ___ ____ ___ _____________________________ || || I | \ / I N T R U S I O N --------- || || I | / \__ D E T E C T I O N ------ || || I | / \ S Y S T E M S ------- || || _I___|_/_______/ -------------------- || || || + === M A I L I N G =========== L I S T ========== + Welcome to the Intrusion Detection Systems Mailing List. The list is a forum for discussions on topics related to development of intrusion detection systems. possible topics include: ++++ techniques used detect intruders in computer systems and computer networks + audit collection/filtering + subject profiling + knowledge based expert systems + fuzzy logic systems + neural networks ++++ ===== methods used by intruders (known intrusion scenarios) = == cert advisories = == scripts and tools used by hackers = == === *** computer system policies ** universal intrusion detection system *** * ** ** ---- IRC Conferences ---- Additionally, discussion sessions can be organized for via IRC. The intrusion detection channel on irc is #ids. As well as the sessions you can drop in anytime, there maybe someone around to have a chat with. For those not familiar with irc I would suggest getting the irc FAQ from usenet news.answers. ---- Using the Mailing List ---- Majordomo list management software is being used to run the forum. If you haven't used majordomo mailing lists before I suggest you obtain the "help" file. The help file will give a description of the commands supported by this version and the syntax required. This is done by sending: --> To: majordomo@uow.edu.au --> Subject: (not important) --> Body: help All commands are handled by the above address. NOTE: mail for list is not to be sent to the above address. Mail for the ids mailing list should be directed to: --> To: ids@uow.edu.au --> Subject: please try give appropriate subject names --> Body: message for the forum Also information on subscribing and unsubscribing to the ids mailing list can be retrieved by mailing to "ids-request@uow.edu.au" with body "help". If you need to discuss any additional ideas related to the services of the mailing list you can send mail to the list maintainer by sending: --> To: ids-owner@uow.edu.au Please try only send mail in regard to problems or ideas related to the running of the mailing list. ---- Introduction to Intrusion Detection Systems ---- The growth of usage and reliance on computer systems has been phenomenal, at no other time in history has any single development progressed near to the explosive rate of computers. Today we see the computer being adopted in almost every field, due to the increased benefits in productivity associated to using computers. However this rapid growth has often meant adopting strategies that are the quickest to implement and simplest to maintain. Often we find systems have been implemented without and concern for establishing sound security and privacy strategies. Also the lack of human resources and funds has, in a lot of cases meant that the system administrator job was shared amongst users or given to the person with the most computer experience, and therefore it is not uncommon to find that there is no dedicated system security officer, it is usually just another component for the already overworked system administrator. There have been many stories of hackers reported in the news over the years, some more true than others. We have seen this in the very dramatized movies such as Wargames, where a student broke into a computer system and nearly resulted in the destruction of the earth from "Thermonuclear War". Because this bright young hacker had decided that he "want to play a game ?". This cult movie alone, has been accredited by some as inspiring the whole new generation of system hackers or as the older generation of hackers prefer "crackers". Then there was Sneakers, a movie that revolved around a tiger team who's job was to test the security of banks by attempting to break into them. Later they were hired to steal a powerful decryption box, that was able to decipher all American encryption systems. Though such movies are highly fictional [ mmmm *Clipper* - doh ], there have been the all to real accounts. One such account, is outlined in Cliff Stoll's "The Cuckoos Egg". Stoll, had been asked to account for a 75c discrepancy in the system accounting. Later, while tracking the down this discrepancy, he found that someone was hacking into his computer system, by using other peoples accounts. Eventually, Stoll traced this hacker back to a group of German hackers who were using his computers to break into US military sites, looking for information they could sell to the KGB. Another is the "Internet Worm", a program that spread across the Internet, by exploiting somewhat known security holes. Later found to have been released by a student from Cornell University (rtm). It was predicted that the worm was responsible for some 4000 BSD and VAX based systems coming to a halt, costing some US$10+ Million dollars in lost computer time. These incidents, along with countless others highlight the need for increased computer security. However the solution isn't a simple one, for "UNIX was not developed with security, in any realistic sense, in mind". Intrusion Detection Systems are a recent development in the effort to overcome some of the classical problems inherent to computer systems, these intrusion detection systems attempt to ensure correct usage of the computer system by monitoring users from a system audit trail. The early idea of detecting threats, by means of audit trail analysis was purposed by J Anderson. In his report, Anderson categorized threats into internal penetrators (which included masquerading and clandestine users) and external penetrators. While most reporting has been about the external computer "hackers", it is really the internal penetrators that have been cause for most security incidents. Later models were developed for performing intrusion detection by the use of expert systems and subject profiling. The majority of early work being carried out by Sytek and SRI International in the development of computer algorithms and later the Intrusion Detection Expert System and Next-generation Intrusion Detection Expert System, for the automatic analysis of computer audit records for detection of abnormal or suspicious computer usage. Many other systems have been and are still being developed, as follows. ---- Intrusion Detection Systems ---- Saturne Discovery Network Auditing Usage Reporting System (NAURS) Intrusion Detection Expert System (IDES) Next-generation Intrusion Detection Expert System (NIDES) Wisdom and Sense (W&S) Compartment Mode Workstation (CMW) Network Intrusion Detection eXpert (NIDX) Haystack Multics Intrusion Detection and Alerting System (MIDAS) Network Anomaly Detection and Intrusion Repoter (NADIR) Computer Watch (CW) Clyde Digital Systems Audit (CDSA) Information Security Officer Assistant (ISOA) Minos Time-based Inductive Learning (TIM) Network Security Monitor (NSM) Distributed Intrusion Detection System (DIDS) Network Intrusion Coutermeasure Engineering (NICE) Intrusion Detection Alert (IDA) State Transistion Analysis Tool and Unix State Transistion Analysis Tool (STAT/USTAT) SecureNet (SN) Stalker Polycenter Security Intrusion Detector (PSID) Computer Misuse Detection System (CMDS) Advanced Security audit trail Analysis on uniX (ASAX) Security Administrator Tool for Analyzing Networks (SATAN) ---- Joining Requests ---- When joining the list I ask you to breifly introduce yourself, to give an outline of your interest in intrusion detection systems. Whether you are developing an intrusion detection system, or a system administrator or student who is currently investigating or developing a system. Additionally you might want to express some personal ideas that you have about what you think an intrusion detection system ideally, should be. ---- References & Papers ---- For those that are looking for some reference material I will be posting a bibliography and some hints to finding some material, if you have any material on the topic please inform the list or me. I would like to use this for the development of a FAQ for the list. Additionally if you have any electronic copies of papers on intrusion detection systems in postscript, TeX/LaTeX or whatever then they might want to post them to the list (if large please send it to me, and send a brief notice to the list). Hopefully I will get around to setting up the ftp site to maintain archives of the list, list faq and any papers on ids that are submitted to the list. ---- Important Note ---- One final note: if you want to mail to the list be sure to mail to: ids@uow.edu.au *Warning* if you are replying to mail from the list it will be directed to the list (due to Reply-to: fields being automatically inserted) not the author of the mail which may have been the intention. So reply to the author of the message just edit the To: field before sending the mail. majordomo@uow.edu.au is for commands for list management functions, if you are unsure of syntax just mail with "help" in body of message. An ftp site and www home page are underconstruction for the list. --=== RuF LiNuX SPi===--