The Intrusion Detection System AID - Architecture, and experiences in automated audit analysis

  • Michael Sobirey
  • Birk Richter
  • Hartmut König
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT)


Intrusion detection systems identify unauthorized use, misuse and abuse of computer systems. Some applications have shown that they are capable of detecting a large amount of security violations. The detection of network based attacks, however, has been solved insufficiently. In addition there are inaccessibilities concerning privacy of the monitored users. In this paper we present the intrusion detection system AID which provides new features for network and privacy oriented auditing, and a sophisticated real-time analysis using knowledge based techniques. The paper describes the objectives and the main features of the AID development.


Network security intrusion detection network audit privacy pseudonymous audit signature analysis anomaly detection 


  1. [An+95]
    Anderson, D.; Frivold, Th.; Valdes, A.: Next-generation Intrusion Detection Ex-pert System (NIDES). A summary, SRI International, SR.I-CSL-95–07, May 1995Google Scholar
  2. [De86]
    Denning, D. E.: An intrusion-detection model, Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, 118–31Google Scholar
  3. [Fî92]
    Fischer-Hübner, S.: IDA (Intrusion Detection and Avoidance system)ein einbruchserkennendes und einbruchsvermeidendes System, (Dissertationsschrift), Aachen, Shaker, 1992Google Scholar
  4. [I192]
    Ilgun, K.: USTAT: A Real-time Intrusion Detection System for UNIX, Master’s Thesis, Computer Science Dept., University of California, Santa Barbara, Nov. 1992Google Scholar
  5. [Jo86]
    Jordan, M. I.: Attractor dynamics and parallelism in a connectionist sequential machine, Proc. of the 8th Conference of the Cognitive Science Society, 1986, 531–46Google Scholar
  6. [E189]
    Elman, J. L.: Structured Representation and Connectionist Models, Proc. of the 11th Conference of the Cognitive Science Society, 1989, 17–25Google Scholar
  7. [Ja+91]
    Jackson, K.; DuBois, D. H.; Stallings, C. A.: An expert system application for network intrusion detection, Proc. of the 14th National Computer Security Conference, Washington, D. C., Oct. 1991, 215–25Google Scholar
  8. [Ko89]
    Kohonen, T.: Self-organization and associative memory, Springer Series in Information Sciences, Springer, 3. edition, 1989, 531–46CrossRefGoogle Scholar
  9. [Lu+92]
    Lunt, T.; Tamaru, A.; Gilham, F.; Jagannathan, R.; Jalali, C.; Neumann, P. G.; Javitz, H. S.; Valdes, A.; Garvey, T. D.: A real time Intrusion Detection Expert System (IDES) - Final Report, SRI International, Menlo Park, CA, Feb. 1992Google Scholar
  10. [McCleRu86]
    McClelland, J.; Rumelhart, D. E.: Parallel distributed processing, vol. 1: Foundations, The MIT Press, Cambridge, MA, 1986Google Scholar
  11. [P092]
    Porras, P. A.: STAT: A State Transition Analysis Tool for Intrusion Detection, Master’s Thesis, Computer Science Dept., University of California, Santa Barbara, July 1992Google Scholar
  12. [Pro94]
    Proctor, P.: Audit reduction and misuse detection in heterogeneous environments: Framework and application, Proc. of the 10th Annual Computer Security Applications Conference, Orlando, FL, Dec. 1994Google Scholar
  13. [Ri+96]
    Richter, B.; Sobirey, M.; König, H.: Auditbasierte Netzüberwachung, Praxis der Informationsverarbeitung und Kommunikation (PIK) 1/96, 24–32Google Scholar
  14. [Sna+92]
    Snapp, S. R.; Smaha, S. E.; Grance, T.; Teal, D. M.: The DIDS (Distributed Intrusion Detection System) Prototype, USENIX, Summer 1992 Technical Conference San Antonio, USA, June 1992, 227–33Google Scholar
  15. [Sma88]
    Smaha, S. E.: Haystack: An intrusion detection system, Proc. of the 11th National Computer Security Conference, Baltimore, MD, Oct. 1988, 37–44Google Scholar
  16. [So96]
    Sobirey, M.: Auditgestützte Einbruchserkennung in Netzen, Kubicek, H. et al. (Hrsg.): Jahrbuch Telekommunikation und Gesellschaft, Bd. 4, 1996, Heidelberg, R. v. Decker’s Verlag, 1996, 284–6Google Scholar
  17. [Te89]
    Tener, W. T.: Discovery: An expert system in the commercial data security environment, Proc. of the 4th IFIP TC11 International Conference on Security, IFIP Sec’86, Monte Carlo, North Holland, Amsterdam, 1989, 261–6Google Scholar
  18. [WiLa92]
    Winkler, J. R.; Landry, L. C.: Intrusion and anomaly detection, ISOA update, Proc. of the 15th National Computer Security Conference, Baltimore, MD, Oct. 1992, 272–81Google Scholar

Copyright information

© IFIP International Federation for Information Processing 1996

Authors and Affiliations

  • Michael Sobirey
    • 1
  • Birk Richter
    • 1
  • Hartmut König
    • 1
  1. 1.Brandenburg University of Technology at CottbusComputer Science Institute, Brandenburg University of Technology at CottbusCottbusGermany

Personalised recommendations