A System Architecture for Computer Intrusion Detection

Article type: Research Article

Authors: Emran, Syed Masum | Ye, Nong

Affiliations: Department of Computer Science and Engineering, Arizona State University, USA | Department of Industrial Engineering, Arizona State University, USA

Note: [] Corresponding author: Nong Ye, Associate Professor, Department of Industrial Engineering, Arizona State University, Box 875906, Tempe, Arizona 85287, USA. Tel.: +1 480 965 7812; Fax: +1 480 965 8692; E-mail: nongye@asu.edu

Abstract: An intrusion into an information system tries to compromise the security of the system. Intrusion Detection Systems (IDSs) attempt to detect these intrusions.  This paper discusses what an IDS requires from the target information system and how the IDS detects intrusions into the target information system. Specifically, we describe the architecture of a distributed host-based IDS developed at the Information and Systems Assurance Laboratory, Arizona State University.  At each host machine in the information system we install an event data collector that collects and filters data of events from the host machine.  The Centralized IDS Server receives the processed data and sends them to Individual Technique Servers.  These Individual Technique Servers use different intrusion detection algorithms covering both anomaly detection techniques and signature recognition techniques.  Each Individual Technique Server determines an intrusion warning (IW) level for each event.  The Centralized IDS Server then integrates the IW levels from the Individual Technique Servers into a composite IW level, and provides it to the security administrator.

Journal: Information Knowledge Systems Management, vol. 2, no. 3, pp. 271-290, 2001