INFORMATION ASSURANCE TECHNOLOGY ANALYSIS CENTER Information Assurance Tools Report Winter 97/98 DISTRIBUTION STATEMENT A - Approved for public release, distribution is unlimited INTRUSION DETECTION pTlC QUALIx? ua&^ (U "Building the 8283 Greensboro Drive, Allen 663 McLean, VA 22102-3838 703.902.3177 Fax 703.902.3425 STD-II1 703.902.5869 STII-III Fax 703902.3991 E-mail [email protected] http://www.iatac.dtic.mil Intelink-S: http://204.36.65.Vindex.html Intelink: http://www.webl.rome Form Approved REPORT DOCUMENTATION PAGE OMB No. 074-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the lime for reviewing instructions, searching existing data sources, gathering and maintaining the data needed and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED Winter 97/98 Winter 97/98 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS Information Assurance Technology Analysis Center SPO700-97-R-0603 Information Assurance Tools Report Intrusion Detection 6. AUTHOR(S) IATAC 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER IATAC N/A 8283 Greensboro Drive McLean, VA 22102 9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING AGENCY REPORT NUMBER Defense Technical Information Center N/A DTIC/AI 8725 John J. Kingman Road, #0944 Ft. Belvoir, VA 22060 11. SUPPLEMENTARY NOTES 12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE A Approved for Public Release; Distribution is Unlimited 13. ABSTRACT (Maximum 200 Words) This report provides an index of intrusion detection tool descriptions contained in the IATAC Information Assurance Tools Database. This report summarizes pertinent information, so that users can obtain a brief description of available tools and contact information. As a living document, this report will be updated periodically as additional information is entered into the Information Assurance Tools Database 19980805 059 14. SUBJECT TERMS 15. NUMBER OF PAGES 43 Intrusion Detection 16. PRICE CODE None 17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT U Unclassified Unclassified Unclassified NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102 DTIC QUALITY INSPECTED I TABLE OF CONTENTS Introduction 2 Purpose 2 Scope 2 Database Formulation 2 Tool Collection 2 Tool Classification 3 Tool Source 4 Database Structure 5 Tool Selection Criteria 5 Results 5 Summary of Intrusion Detection Tools 6 Intrusion Detecion Tools T 1-T 43 DTIC QUALITY INSPECTED 1 INTRODUCTION SCOPE The Information Assurance Technology Analysis Center Intrusion Detection is a broad field of study with ele- (IATAC) is a Department of Defense (DoD)-sponsored ments ranging from motion sensors to real-time electronic Information Analysis Center (IAC) that provides a central intrusion detection systems. The International Computer point of access for Scientific and Technical Information Security Association (ICSA) defines Intrusion Detection as (STINFO) regarding Information Assurance (IA) technolo- "the detection of break-ins or break-in attempts gies, system vulnerabilities, research and development, either manually or via soflware expert systems that models and analyses. The overarching goal of the IAC is to operate on logs or other information available on the aid in developing and implementing effective defenses network."l against Information Warfare attacks. IATAC core functions, however, include support for user inquiries, analysis, An intrusion attempt is a deliberate, unauthorized maintenance, and growth of the IA library; IA database attempt to access or manipulate information or render a operations; development of technical and state-of-the-art system unreliable or unusable. The purpose of Intrusion reports; and promotional awareness activities, such as Detection is to decrease the potential magnitude of the newsletters, conferences, and symposia. compromise or prevent it altogether. IACs are staffed by scientists, engineers, and information Currently the IATAC database contains descriptions of specialists. Each IAC establishes and maintains compre- many tools that detect non-physical intrusions on digital hensive knowledge bases that include historical, technical, electronic components. The database, which consists of scientific, and other data and information collected world- information for 43 tools, includes commercial products, wide. Information collections span a wide range of unclas- government-owned systems and research products. The sified, limited distribution, and classified information database was built by gathering as much open source data appropriate to the requirements of sponsoring technical as possible, analyzing that data, and summarizing informa- communities. IACs also collect, maintain, and develop ana- tion regarding the basic description and contact informa- lytical tools and techniques including databases, models, tion for each intrusion detection tool collected. The exist- and simulations. Their collections and products represent ing database does not include pricing and availability infor- intensive evaluation and screening efforts to create author- mation for all of the available tools. Generally, the com- itative sources of evaluated data. mercially developed products are available to all domestic interests, while the government and academic tools are The Information Assurance Tools Database is one of the reserved for specific projects and organizations. The avail- knowledge bases maintained by IATAC. The Information ability of these research tools is determined by the Assurance Tools Database hosts information on intrusion research group or university on an individual case basis. detection, vulnerability analysis, firewalls, and antivirus These tools are included in the database solely to provide software applications. Information for this database is information regarding existing approaches for intrusion obtained via open source methods, including direct inter- detection. face with various agencies, organizations, and vendors. DATABASE FORMULATION PURPOSE This section discusses the approach and methodology This unclassified report provides an index of intrusion used for identifying and collecting the selected tools, the detection tool descriptions contained in the IATAC Infor- classification of each type, tool sources and the structure of mation Assurance Tools Database. This report summarizes the database. pertinent information, so that users can obtain a brief description of available tools and contact information. It does not endorse or evaluate the effectiveness of each tool. TOOL COLLECTION As a living document, this report will be updated peri- Information for each tool was collected through a vari- odically as additional information is entered into the Infor- ety of means. In one method, the IA community was sur- mation Assurance Tools Database. Technical questions veyed via the Internet to identify corporations, government concerning this report may be addressed to James Green at agencies, professional organizations, and universities with (703) 902-4887 or [email protected]. involvement in Intrusion Detection. Industry professionals administrator that the file has been modified, or deleted. were also consulted for information and suggestions for The operator or administrator may then determine if the identifying and collecting available tools. In cases where differences indicate intrusive activity. the accuracy, detail, or date of the information on the col- Misuse Detection Misuse detection systems attempt lected tools was questionable, the appropriate entities were to identify authorized users' misuse of computing contacted to validate questionable data. resources. Such activity may include visiting unauthorized Internet sites, navigating around a system to areas that have TOOL CLASSIFICATION been explicitly identified as "off-limits," or using an appli- cation for non-work-related activity. Misuse detection sys- tems typically rely on an administrator defining activity that Classification of Intrusion Detection tools in the data- is considered misuse through the use of configuration files. base required that tools be assigned to one or more class- The information in the configuration files can then be com- es based on how they operate. The classes are not neces- pared with activity that occurs on the system; misuse is sarily discrete; the classes may overlap in various contexts. assumed when there is a match between the two. Misuse Therefore, some of the individual classes may appear to be detection differs from attack detection in that the later similar, but a distinction was made to more clearly identify focuses on identifying active attacks against a system the types of tools. whereas the former attempts to identify benign or inten- All of the tools share the following twofold problem: tional unauthorized system use. False Positive They must attempt to detect all intru- System Monitoring Detection System monitoring sions while avoiding detecting nonintrusions as intrusions. detection either uses available system statistics or gener- False Negative They sometimes do not detect intru- ates its own statistical information. These statistics may be sions that, in fact, are intrusions. derived from various sources, such as central processing The manner in which the various tools attempt to solve unit (CPU) usage, disk input/output (I/O), memory usage, these two problems needs to be considered when Intrusion user activity, and number of logins attempted. The statistics Detection tools are being evaluated. The Intrusion Detec- are sampled to determine a normal system usage profile tion tool descriptions contained in the IATAC Information and are continually updated to reflect the current system Assurance Tools Database fall within one or more of the state. The current state is compared with the normal usage following five classes: state and the Intrusion Detection System determines whether the actions that have changed the profiles/states Anomaly Detection Anomaly detection techniques constitute a potential intrusion. assume that all intrusive activities are a deviation from the norm. These tools typically establish a normal activity pro- The foregoing classifications highlight the differences file and then maintain a current activity profile for a system. among the tools. However, the methods used by the differ- When the two profiles vary by statistically significant ent tools are also similar in many respects. Those methods amounts, an intrusion attempt is assumed. listed below describe the data sources and activities that the tools use to detect intrusions. Methods that could be Attack Detection Attack detection systems are based used by one or more of the tools include the following: on the concept that there are ways to represent attacks as a pattern or a "signature" so that even variations of the Audit-Based Detection An audit-based detection sys- same attack can be detected. These systems maintain tem has two major components. One is a catalog of audit- records or representations of the actions that represent ed events that are considered "bad" behavior. This data known bad behavior and identify actions on the system (s) could include attack profiles, suspicious activity profiles, that match the known bad behavior. and defined unacceptable activities. The second compo- nent is an audit trail analysis mfodule. Audit trails from a File Integrity Checking File integrity checking sys- chronological record of activities on a system. The analysis tems use a cryptographic mechanism to create a unique module examines the monitored system's audit trail for identifier for each file to be monitored. The identifiers are activity that matches activity in the catalog; when a match then stored for future use. Either automatically or manual- occurs, intrusive activity is assumed. Audit-based systems ly, the file integrity program is subsequently executed, and may also provide the ability to identify and track addition- new unique identifiers are calculated. The new identifiers al activity that has been performed by an individual sus- are compared with the saved version, and when a mis- pected of intrusive activity. match occurs, the integrity checker notifies the operator or Expert Systems Detection Expert systems are Los Altos Technologies designed to act when a given situation occurs. The system MimeStar often chains such activities so that when one situation Network General Corporation occurs, it causes an action that may result in another situ- ation that may cause another action. This pattern could Science Applications International Corporation occur many times before the sequence is complete. The SRI International difference between the expert system method and the SUPELEC methods that use catalogs of information and match activi- Touch Technologies ty to entries is that the nonexpert systems compare only discrete activity to discrete information and then perform Trident Data Systems an action. Expert systems can group activities and events WheelGroup Corporation together to make comparisons. ACADEMIA RESOURCE CENTERS Keystroke Monitoring Detection Like, audit-based detection, keystroke monitoring technique consists of two Brandenburg University of Technology at Cottbus Univer- components. Like the audit-based technique, a catalog of sity "bad" behavior is maintained. In this case, however, the Carnegie Mellon University, Software Engineering Insti- catalog is of specific keystrokes that indicate attacks. The tute second component is a module that captures keystrokes as Columbia University, Department of Computer Science they are entered by the user and then compares them with the catalog. When entered keystrokes match a catalog Curtin University of Technology entry, an intrusion is assumed. Marquette University State Transition Analysis The State Transition Analy- Massachusetts Institute of Technology sis technique represents the monitored system as a state Microelectronics Center of North Carolina (MCNC) transition diagram. As incoming data is analyzed, the sys- tem transitions from one state to another. A transition Purdue University, Autonomous Agents depends on a particular Boolean condition becoming true Stanford University (for example, the user's opening a file). Intrusions are Texas A&M University assumed when the system transitions from a safe to an unsafe state, based on known attack patterns contained in TU Braunschweig the intrusion detection tool. University College Dublin, Security Research Group University of California at Davis TOOL SOURCE University of California at Santa Barbara University of Hamburg Tools were identified from a number of sources. A rep- University of Illinois resentative sampling of these sources includes the fol- lowing: University of Namur University of New Mexico COMMERCIAL PRODUCT OFFERINGS Axent Technologies GOVERNMENT AND PROFESSIONAL Cisco Systems AGENCIES AND RESEARCH CENTERS Digital Equipment Corporation Air Force Information Warfare Center En Garde Systems Defense Information Systems Agency (DISA) Fischer International Systems Corporation Department of Energy, Computer Incident Advisory Capa- bility (CIAC) Harris Corporation International Computer Security Association (ICSA) Haystack Laboratories Lawrence Berkeley National Laboratory Internet Security Systems Lawrence Livermore National Laboratory Intrusion Detection Incorporated Los Alamos National Laboratory Current Availability These tools are currently avail- able; some on a limited basis, and for some cost, from the National Institute of Standards and Technology (NIST) government, academia, or commercial arenas. U.S. Army Office of the Director of Information Systems for Command, Control, Communications, and Comput- RESULTS ers (ODISC4) U.S. Navy Space and Naval Warfare Systems Command The research for this report identified 43 Intrusion (SPAWAR) Detection tools currently being used and available. Appen- dix A includes complete database output for each tool. The DATABASE STRUCTURE content of Appendix A mirrors the database structure as defined is Section 4.4 of this report. The following summa- The fields of the database include the following: ry chart provides the name, keywords, and a description of Title Name and abbreviation associated with the tool each tool. Author Developer of the tool, listed by organization (company, agency, university, etc.) and/or individual(s) associated with the development Source Uniform resource locator (URL) of the primary source for the abstract information Keywords Terms used to reference the tools using the database search engine Contact Information Name, organization, telephone, facsimile, email, and URL information for further tool information Abstract Brief description of the primary features of the tool Bibliography Reference sources for comments and information TOOL SELECTION CRITERIA The selected tools satisfy the following three criteria: Definition These tools satisfy the objective, approach and methodology of an Intrusion Detection Tool based upon the ICSA definition of Intrusion Detection, as described in Section 3 of this report. Specificity to Intrusion Detection The primary function of these tools is Intrusion Detection, not penetra- tion testing or vulnerability analysis. Intrusion detection differs from penetration tests in that detection aims to iden- tify attacks while penetration tests concentrate on the secu- rity architecture and policies of a system. Penetration tests exploit system and user vulnerabilities. Vulnerability analy- sis differs from intrusion detection and penetration tests in that vulnerability tools focus on exposing common or "known" weaknesses. International Computer Security Association. Glos- sary of Firewall Related Terms, http://www.ncsa. com/ fwpg_p8.html, November 21, 1997. SUMMARY OF INTRUSION DETECTION TOOLS Title Source Type Attributes Contact E-mail URL Organization ADS Academia attack detection University [email protected] www.ucd.ie College, Dublin AID Academia audit-based, misuse detection Brandenburg [email protected] www-rnks.informatik. tu- University cottbus.de/~sobirey ALVA Individual anomaly detection, Abha Moitra [email protected] www.crd.ge.com/rd18.html audit-based Argus Academia audit-based, system monitoring Carnegie Mellon [email protected] ftp.sei.cmu.edu/pub University ARPMon Academia system monitoring University of [email protected] flowbee.beckman.uiuc.edu/~gr Illinois essley ARPWATCH Government / system monitoring, Lawrence [email protected] www-nrg.ee.lbl.gov Research spoofing Berkeley National Laboratory ASAX Academia audit-based, misuse detection University of [email protected] www.info.fundp.ac.be/~amo Namur ASIM Military anomaly detection CAEWIS [email protected] www.wg53.eglin.af.mil/53spts /sc/scc/caewis.htm CMDS Commercial anomaly detection, audit-based, SAIC [email protected] www.saic.com/it/cmds expert system, misuse detection /index.html Courtney Government / system monitoring CIAC [email protected] ciac.llnl.gov Research CyberCop Commercial anomaly detection, misuse Network General [email protected] www.ngc.com detection, system monitoring Corporation EMERALD Commercial anomaly detection, system SRI [email protected] www.csl.sri.com/emerald/index. monitoring html Gabriel Commercial system monitoring Los Altos [email protected] www.lat.com/gabe.htm Technologies GrIDS Academia anomaly detection, sniffers University of [email protected] seclab.cs.ucdavis.edu/arpa/pe California at ople/todd.html Davis IDES/NIDES Commercial anomaly detection, expert system, SRI [email protected] www.csl.sri.com/~porras misuse detection, system monitoring IDIOT Academia misuse detection Purdue [email protected] www.cs.purdue.edu/faculty/sp University af.html Ifstatus Individual anomaly detection David Curry [email protected] www.ers.ibm.com/~davy Internet Scanner Commercial anomaly detection, vulnerability Internet Security [email protected] www.iss.net Toolset analysis Systems ITA Commercial anomaly detection, audit-based, AXENT [email protected] www.axent.com/about/contact/ misuse detection Technologies contact.htm Kane Security Commercial misuse detection, system monitoring Intrusion [email protected] www.intrusion.com/contact.htm Monitor Detection Incorporated md5check Academia file integrity University of [email protected] seclab.cs.ucdavis.edu/arpa/pe California at ople/todd.html Davis NADIR Government/ anomaly detection Los Alomos [email protected] www.lanl.gov/cgi- Research National bin/phone/085768 Laboratory NETMAN Academia system monitoring Curtin University [email protected] www.cs.curtin.edu.au/~mike of Technology NetRanger Commercial anomaly detection, misuse WheelGroup [email protected] www.wheelgroup.com/contact/ detection, system monitoring Corporation 1contact.html NID Government / anomaly detection, misuse CSTC [email protected] ciac.llnl.gov/cstc/nid/nid.html Research detection NIDES Commercial anomaly detection, expert system, SRI [email protected] www.csl.sri.com/~porras misuse detection, system monitoring NOCOL Academia system monitoring Marquette [email protected] www.mscs.mu.edu/contact.html University Noshell Commercial system monitoring CiscoSystems [email protected] www.cisco.com/warp/public/43 7/Service.html NSM Academia system monitoring University of [email protected] seclab.cs.ucdavis.edu/arpa/pe California at ople/todd.html Davis POLYCENTER Commercial misuse detection, system monitoring DEC [email protected] www.digital.co m/misc/contacts.t xt.html#US RealSecure Commercial vulnerabilityanalysis ISS [email protected] www.iss.net/prod/rs.html SecureNet Pro Commercial keyword-level surveillance, system MimeStar [email protected] www.mimestar.com/secids.htm monitoring 6 I Title 1 Source Type 1 Attributes 1 Contact 1 E-mail URL 1 Organization Stake Out Commercial anomaly detection, misuse Harris [email protected] www.stakeout.harris.com detection, system monitoring Corporation Stalker Commercial misuse detection Haystack [email protected] www.haystack.com/contfr.htm Laboratories Swatch Academia misuse detection, system monitoring Stanford [email protected] www-leland .Stanford .edu/ University group/itss-ccs/security Tripware Academia file integrity Purdue [email protected] www.cs.purdue.edu/people University /walls T-sight Commercial system monitoring En Garde [email protected] www.engarde.com Systems /contact.html UNICORN Commercial audit-based En Garde [email protected] www.engarde.com Systems /contact.html USTAT Academia misuse detection, state transition University of [email protected] www.cs.ucsb.edu/--kemm analysis California Santa Barbara WatchDog Commercial system monitoring Fischer [email protected] www.fisc.com/store/wd.html International Systems Corporation WebStalker Pro Commercial misuse detection Haystack [email protected] www.haystack.com/contfr.htm Laboratories X Connection Academia system monitoring Purdue [email protected] www.cs.purdue.edu/people Monitor University /walls