Researchers at the Naval Surface Warfare Center in Dahlgren, Va., are developing new statistical techniques to aid human operators in detecting and defending computer networks against intrusion. Most existing intruder detection software works by flagging access attempts from pre-identified attack attempts. However, that approach presumes some pre-existing knowledge of the intruder's methods.
The ONR-funded researchers at Dahlgren are developing new algorithms to flag access attempts that are not routine for a particular workstation, local-access network, wide-area network, or Internet service provider. Using statistical pattern analysis, the algorithms will filter out access attempts from strange places or at strange hours, or any attempts asking for unusual information. The data will then be given further analysis to determine if it represents a threat or just a benign anomaly.
This research builds on the network-based intrusion detection system "Secondary Heuristic Analysis for Defensive Online Warfare," or SHADOW, system also developed at Dahlgren. The SHADOW system detects suspicious activities such as network scans and probes, denial of service attacks and unauthorized connection attempts. The statistical pattern recognition research has the potential to enhance the effectiveness of SHADOW, as well as many other network protection software systems.
This research effort, led by Drs. Jeff Solka and David Marchette, was described at the recent USENIX Workshop on Intrusion Detection and Network Monitoring in Santa Clara, Calif., and was the subject of a tutorial at a recent System Administration and Network Security Institute Conference.