The Evolution of Intrusion Detection Systems

1. The Evolution of Intrusion Detection Systems Kai, 2004 INSA

2. IDS Components • Network Intrusion Detection (NID) • Switched networks • Encrypted networks • High-speed networks • Host-based Intrusion Detection (HID) • Hybrid Intrusion Detection • Network-Node Intrusion Detection (NNID) Kai, 2004 INSA

3. SAIC’s CMDS team SAIC was also developing a form of host-based intrusion detection, called Computer Misuse Detection System (CMDS). NetRanger, the first commercially viable network intrusion detection device. Intrusion Detection Expert System revealed the necessary information for commercial intrusion detection system development Stalker was a host-based, pattern matching system that included robust search capabilities to manually and automatically query the audit data the first visible host-based intrusion detection company The security market leader developed a network intrusion detection system called RealSecure . analyze audit trails from government mainframe computers and create profiles of users based upon their activities audit trails contained vital information that could be valuable in tracking misuse and understanding user behavior A Brief History of IDS along with the Haystack team, Heberlein introduced the first idea of hybrid intrusion detection. the first commercial vendor of IDS tools, with its Stalker line of host-based products. ASIM made considerable progress in overcoming scalability and portability issues. Air Force's Cryptologic Support Center developed the Automated Security Measurement System to monitor network traffic on the US Air Force's network. UC Davis’ Lawrence Livermore Lab produced an IDS that analyzed audit data by comparing it with defined patterns. UC Davis's Todd Heberlein develop NSM, the first network intrusion detection system Distributed Intrusion Detection System (DIDS) augmented the existing solution by tracking client machines as well as the servers it originally monitored. Kai, 2004 INSA

4. CISCO In 1997 $124Million ASIM Development Staff from AF CSC The players in IDS market (I) • Cisco Host-Based (Entercept tech) Standard Edition Enterprise Edition Network-Based Catalyst 6000 IDS 4230 IDS 4210 Entercept tech Standard Edition Enterprise Edition Air Force Cryptologic Support Center ASIM Wheel Group NetRanger Kai, 2004 INSA

5. ISS The players in IDS market (II) • Internet Security Systems (ISS) In 1999 In 1997 Host-Based RealSecure Network-Based RealSecure BlackICE Sentry Network ICE BlackICE Sentry (GigaBit) Kai, 2004 INSA

6. Axent The players in IDS market (III) • Symantec Symantec Host-Based Intruder Alert Network-Based NetProwler Kai, 2004 INSA

7. Network Security Wizards The players in IDS market (IV) • Enterasys Enterasys/Cabetron Host-Based Squire Network-Based Dragon Kai, 2004 INSA

8. Intrusion.com CyberSafe Host-based CMDS Development Staff CMDS People from Haystack Labs Haystack Development staff Network-based SecureNet Pro Host-Based Centrax Network-Based Centrax (NNID tech.) Kane NetworkICE ODS MimeStar SecureNet Pro Centrax Entrax Network Associates Host-based CMDS Host-based Kane Trusted Information Systems SAIC Haystack Labs Stalker UCAL Davis Lawrence Livermore labs Kai, 2004 INSA

9. Conclusion • Government funding and corporate interest helped Anderson, Heberlein, and Denning spawned the evolution of IDS. • Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats. Kai, 2004 INSA