SpacerAbout UsDividerR and D DivisionsDividerCareersDividerNewsroomDividerContact UsDividerSRI HomeSpacer

  SRI Logo

What is NIDES?

NIDES is a comprehensive intrusion-detection system that performs real-time monitoring of user activity on a set of target system computers and detects unusual and suspicious user behavior in real time on those target systems. NIDES runs on its own workstation and analyzes audit data characterizing user activity collected from monitored systems to detect a variety of suspicious user behavior.

NIDES performs two types of analysis. Its statistical analysis maintains historical statistical profiles for each user and raises an alarm when observed activity departs from established patterns of use for an individual. The historical profiles are updated regularly, and older data "aged" out with each profile update, so that NIDES adaptively learns what to expect from each user. This type of analysis is intended to detect intruders masquerading as legitimate users. Statistical analysis may also detect intruders who exploit previously unknown vulnerabilities and who could not be detected by any other means. Statistical anomaly detection can also turn up interesting and unusual events that could lead to security-relevant discoveries upon investigation by a security officer. The statistical analysis is customizable: several parameters and thresholds can be changed from their default values, and specific intrusion-detection "measures" (the aspects of behavior for which statistics are kept) can be turned on or off.

The rulebased analysis of NIDES uses rules that characterize known intrusion types to raise an alarm if observed activity matches any of its encoded rules. This type of analysis is intended to detect attempts to exploit known security vulnerabilities of the monitored systems and intruders who exhibit specific patterns of behavior that are known to be suspicious or in violation of site security policy. Observed activity that matches any of these predefined behaviors is flagged. Unlike most competing systems, the NIDES rulebase is customizable: new rules can be defined and compiled into the running system, and existing rules can be turned on or off. Although NIDES comes with a limited rulebase designed for Sun UNIX operating systems, you will want to customize the rulebase for your particular environment and to keep it up to date with the changing vulnerabilities of new system releases and discovered vulnerabilities of current releases.

The NIDES resolver screens the alarms generated by the statisical and rulebased components before reporting them to the security officer, to avoid flooding the security officer with redundant alarms. Alerts can be reported to the NIDES console or to a list of email recipients. Some user-configurable filters are also provided. For example, you can turn off alert reporting for specific users, if you know they will be doing something unusual and would otherwise generate a lot of false alarms. Although filtered alerts are not reported, they are still logged.

NIDES includes an archive facility that stores audit records, analysis results, and alerts, and allows browsing of this archive. NIDES also includes a system monitoring facility that displays information on monitored systems, status of the audit data archiver, a daily summary of system throughput, and a daily summary of alert generation.

NIDES also includes a test facility that allows a security officer to experiment with new statistical parameter settings or new rulebase configurations before committing them to the running NIDES. The NIDES user may construct test data sets from the audit record archive for a specific time window and set of user names. The candidate rulebase and statistical parameters can then be tested against these test data sets concurrent with the running NIDES. Test results are archived for comparison.

NIDES can operate either in real time, for continuous monitoring and analysis of user activity, or in batch mode, for periodic batch analysis of audit data. NIDES can monitor numerous, possibly heterogeneous, machines. The monitored systems provide audit data to NIDES for analysis. A process that runs on each monitored system converts audit data in the monitored system's native audit record format to a generic audit data format used by NIDES and (in real-time mode) transmits the NIDES-formatted audit data to NIDES. NIDES receives data from multiple monitored systems and coalesces the data into a single audit record stream for analysis. Because NIDES uses a generic audit record format, it is easily adapted to monitor new system types by writing a simple audit data mapping routine (mapping routines for some system types are already available).

NIDES includes a user interface written using the MOTIF toolkit to operate under the X-Window system. Access to the various NIDES functions is provided through pulldown menus, point-and-click selections, and occasional text entry. An extensive multitiered context-sensitive help system is included. NIDES also includes a comprehensive user's manual and tutorial.



About Us  Vertical divider  R&D Divisions  Divider  Careers  Divider  Newsroom  Divider  Contact Us
©2004 SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025-3493
SRI International is an independent, nonprofit corporation. Privacy policy