Translator Disclaimer
8 August 2003 Detection of intrusion across multiple sensors
Author Affiliations +
We have been developing an architecture for reasoning with multiple sensors distributed on a computer network, linking them with analysis modules and reasoning with the results to combine evidence of possible intrusion for display to the user. The architecture, called MAITA, consists of monitors distributed across machines and linked together under control of the user and supported by a monitor of monitors that manages the interaction among the monitors. This architecture enables the system to reason about evidence from multiple sensors. For example, a monitor can track FTP logs to detect password scans followed by successful uploads of data from foreign sites. At the same time it can monitor disk use and detect significant trends. Monitors can then combine the evidence in the sequence in which they occur and present evidence to the user that someone has successfully gained write access to the FTP site and is occupying significant disk space. This paper discusses the architecture enabling the creation, linking, and support of the monitors. The monitors may be running on the same or different machines and so appropriate communication links must be supported as well as regular status checks to ensure that monitors are still running. We will also discuss the construction of monitors for sensing the data, abstracting and characterizing data, synchronizing data from different sources, detecting patterns, and displaying the results.
© (2003) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
William J. Long, Jon Doyle, Glenn Burke, and Peter Szolovits "Detection of intrusion across multiple sensors", Proc. SPIE 5107, System Diagnosis and Prognosis: Security and Condition Monitoring Issues III, (8 August 2003);

Back to Top