Survey of Intrusion Detection Research

The literature holds a great deal of research in the intrusion detection area. Much of this describes the design and implementation of specific intrusion detection systems. While the main focus has been the study of different detection algorithms and methods, there are a number of other issues that are of equal importance to make these systems function well in practice. I believe that the reason that the commercial market does not use many of the ideas described is that there are still too many unresolved issues. This survey focuses on presenting the different issues that must be addressed to build fully functional and practically usable intrusion detection systems (IDSs). It points out the state of the art in each area and suggests important open research issues

Extended Field Laser Confocal Microscopy (EFLCM): Combining automated Gigapixel image capture with in silico virtual microscopy

<p>Abstract</p> <p>Background</p> <p>Confocal laser scanning microscopy has revolutionized cell biology. However, the technique has major limitations in speed and sensitivity due to the fact that a single laser beam scans the sample, allowing only a few microseconds signal collection for each pixel. This limitation has been overcome by the introduction of parallel beam illumination techniques in combination with cold CCD camera based image capture.</p> <p>Methods</p> <p>Using the combination of microlens enhanced Nipkow spinning disc confocal illumination together with fully automated image capture and large scale <it>in silico </it>image processing we have developed a system allowing the acquisition, presentation and analysis of maximum resolution confocal panorama images of several Gigapixel size. We call the method Extended Field Laser Confocal Microscopy (EFLCM).</p> <p>Results</p> <p>We show using the EFLCM technique that it is possible to create a continuous confocal multi-colour mosaic from thousands of individually captured images. EFLCM can digitize and analyze histological slides, sections of entire rodent organ and full size embryos. It can also record hundreds of thousands cultured cells at multiple wavelength in single event or time-lapse fashion on fixed slides, in live cell imaging chambers or microtiter plates.</p> <p>Conclusion</p> <p>The observer independent image capture of EFLCM allows quantitative measurements of fluorescence intensities and morphological parameters on a large number of cells. EFLCM therefore bridges the gap between the mainly illustrative fluorescence microscopy and purely quantitative flow cytometry. EFLCM can also be used as high content analysis (HCA) instrument for automated screening processes.</p

Logging for Intrusion and Fraud Detection

Computer security is an area of ever increasing importance. Our society relies on computerised services, which gives many reasons for computer criminals, attackers, terrorists, hackers, crackers, fraudsters, or whatever name is appropriate, to break these systems. To deal with security problems, many types of mechanisms have been developed. One mechanism is the intrusion detection system (IDS), designed to detect ongoing attacks, detect attacks after the fact or even detect preparations for an attack. The IDS is complementary to preventive security mechanisms, such as firewalls and authentication systems, which can never be made 100% secure. A similar type of system is the fraud detection system (FDS), specialised to detect frauds (or "attacks") in commercial services in different business areas, such as telecom, insurance and banking. Fraud detection can be considered a special case of intrusion detection. A crucial part of intrusion or fraud detection is to have good quality input data for the analysis, as well as for training and testing the systems. However, it is difficult to acquire any training and test data and it is not known what kind of log data are most suitable to use for detection. The contribution of this thesis is to offer guidance in matters of acquiring more suitable log data for intrusion and fraud detection. The first part is general and gives a survey of research done in intrusion detection and shows that intrusion and fraud detection reflect different aspects of the same problem. The second part is devoted to improving the availability and quality of log data used in intrusion and fraud detection. The availability of log data for training and testing detection systems can be improved by solving the privacy issues that prevent computer system owners from releasing their log data. Therefore, a method is suggested for anonymising the log data in a way that does not significantly affect their usefulness for detection. Though authentic data are convenient to use for training and testing they do not always have the desirable properties, which include flexibility and control of content. Another contribution to improve the availability and also the quality of log data is thus a method for creating synthetic training and test data with suitable properties. This part also includes a methodology for determining exactly which log data can be used for detecting specific attacks. In the ideal situation, we only collect exactly the data needed for detection, and this methodology can help us develop more efficient and adapted log sources. These new log sources will improve the quality of log data used for intrusion and fraud detection

Logging for Intrusion and Fraud Detection

Computer security is an area of ever increasing importance. Our society relies on computerised services, which gives many reasons for computer criminals, attackers, terrorists, hackers, crackers, fraudsters, or whatever name is appropriate, to break these systems. To deal with security problems, many types of mechanisms have been developed. <p />One mechanism is the intrusion detection system (IDS), designed to detect ongoing attacks, detect attacks after the fact or even detect preparations for an attack. The IDS is complementary to preventive security mechanisms, such as firewalls and authentication systems, which can never be made 100% secure.<BR> A similar type of system is the fraud detection system (FDS), specialised to detect frauds (or "attacks") in commercial services in different business areas, such as telecom, insurance and banking. Fraud detection can be considered a special case of intrusion detection. <p />A crucial part of intrusion or fraud detection is to have good quality input data for the analysis, as well as for training and testing the systems. However, it is difficult to acquire any training and test data and it is not known what kind of log data are most suitable to use for detection. <p />The contribution of this thesis is to offer guidance in matters of acquiring more suitable log data for intrusion and fraud detection. The first part is general and gives a survey of research done in intrusion detection and shows that intrusion and fraud detection reflect different aspects of the same problem.<BR> The second part is devoted to improving the availability and quality of log data used in intrusion and fraud detection. <p />The availability of log data for training and testing detection systems can be improved by solving the privacy issues that prevent computer system owners from releasing their log data. Therefore, a method is suggested for anonymising the log data in a way that does not significantly affect their usefulness for detection.<BR> Though authentic data are convenient to use for training and testing they do not always have the desirable properties, which include flexibility and control of content. Another contribution to improve the availability and also the quality of log data is thus a method for creating synthetic training and test data with suitable properties. This part also includes a methodology for determining exactly which log data can be used for detecting specific attacks. In the ideal situation, we only collect exactly the data needed for detection, and this methodology can help us develop more efficient and adapted log sources. These new log sources will improve the quality of log data used for intrusion and fraud detection

Extracting attack manifestations to determine log data requirements for intrusion detection

Log data adapted for intrusion detection is a little explored research issue despite its importance for successful and efficient detection of attacks and intrusions. This paper presents a starting point in the search for suitable log data by providing a framework for determining exactly which log data that can reveal a specific attack, i.e. the attack manifestations. An attack manifestation consists of the log entries added, changed or removed by the attack compared to normal behaviour. We demonstrate the use of the framework by studying attacks in different types of log data. This work provides a foundation for a fully automated attack analysis. It also provides some pointers for how to define a collection of log elements that are both sufficient and necessary for detection of a specific group of attacks. We believe that this will lead to a log data source that is especially adapted for intrusion detection purposes

Setting the Scene for Intrusion Detection

In this paper, we present a structured survey of the intrusion detection research area. The area is divided into a number of sub-areas, and each of these are presented in some detail with respect to content, research status and open research issues. Our hope is that this will help other researchers to get acquainted with the status of intrusion detection research and inspire them to take on challenges that have not yet been properly addressed

Extracting attack manifestations to determine log data requirements for intrusion detection

Log data adapted for intrusion detection is a little explored research issue despite its importance for successful and efficient detection of attacks and intrusions. This paper presents a starting point in the search for suitable log data by providing a framework for determining exactly which log data that can reveal a specific attack, i.e. the attack manifestations. An attack manifestation consists of the log entries added, changed or removed by the attack compared to normal behaviour. We demonstrate the use of the framework by studying attacks in different types of log data. This work provides a foundation for a fully automated attack analysis. It also provides some pointers for how to define a collection of log elements that are both sufficient and necessary for detection of a specific group of attacks. We believe that this will lead to a log data source that is especially adapted for intrusion detection purposes

Setting the Scene for Intrusion Detection

In this paper, we present a structured survey of the intrusion detection research area. The area is divided into a number of sub-areas, and each of these are presented in some detail with respect to content, research status and open research issues. Our hope is that this will help other researchers to get acquainted with the status of intrusion detection research and inspire them to take on challenges that have not yet been properly addressed

A synthetic fraud data generation methodology

In many cases synthetic data is more suitable than authentic data for the testing and training of fraud detection systems. At the same time synthetic data suffers from some drawbacks originating from the fact that it is indeed synthetic and may not have the realism of authentic data. In order to counter this disadvantage, we have developed a method for generating synthetic data that is derived from authentic data. We identify the important characteristics of authentic data and the frauds we want to detect and generate synthetic data with these properties