Real-Time Projects
Host Based IDS
This software runs on a specific machine (Linux/Solaris/NT) and
monitors the system to detect intrusions.
The WinNT Host Based IDS will be a system that runs on a specific
NT machine and monitors the event audit logs to detect attacks on
the machine. The system interfaces with the "Base Object Event"
system in the OS to get access to the information about the
machine's processes. In addition, the system performs analysis on
the binaries of programs that are being executed.
The Solaris Host Based IDS will be a system that runs on a specific
Solaris machine and monitors the BSM logs for that machine. In
addition, it may get more information from the machine using tools
such as finger, w, lastcomm, etc.
The Linux Host Based IDS will be a system that runs on a specific
Linux machine and monitors the BSM logs for that machine. Since
BSM is native to solaris, the linux host based IDS must use a port of
BSM which may or may not be stable. In addition, it may get more
information from the machine using tools such as finger, w,
lastcomm, etc.
HAUNT
This system is a network based IDS system. It monitors all the
network packets and detects attacks. To detect attacks, the system
uses a set of rules defined in N-code, a language specific to the
NFR system. The NFR engine processes the N-code and the
network traffic to detect attacks.
Adaptive Intrusion Detection System
This system builds a model of behavior of a system in real time. The
rule sets will be constantly updating with the new data. As the rule
set changes, it is sent to the relevant host based or network based
IDS system.
Distributed IDS System
The Distributed IDS system coordinates the activity of all of the host
based systems as well as the network based systems. The Distributed
IDS system is sent attack reports from the other IDS systems. The
distributed IDS system, based on the attack reports, makes the final
decision of whether or not something is an attack, generating an
alarm.
Malicious Program Email Filter
This system will monitor a domains email and scan each attachment to
detect malicious programs using a learning based method. The system
will either detect a virus and stop it completely or help contain its
spread by monitoring a virus's propagation. If only this system was
in place, the ILOVEYOU bug would not have caused as much damage as it
did.
Data Warehousing For IDS
This system will store all of the data collected from network and host
based IDSs in an efficient manner facilitating the learning of models
for detecting intrusions. This system also synchronizes the IDSs data
so an attack can be examined several IDS systems.
File System Wrappers
This project works on building a system to detect intrusions by
monitoring file system wrappers. The idea is that by monitoring
writes to the file system, we can detect attacks.
Data Mining Projects
Link Analysis
This system attempts to detect "scenario" attacks or attacks spread
over long periods of time. The system monitors event which
independently are normal, but together are suspicious.
Explanation Engine
This system explains a detected attack. The system used information
about the data and the model that correspond to an attack and tries to
explain (in English) what happened and why it thinks it is an attack.
Network Based Probabilistic Anomaly Detection Models
This project works on building probabilistic anomaly detection
models. These models can detect anomalous events (intrusions) over
network data. The models can detect the anomalies un-supervised so
they can be used in the adaptive system.
Automatic Feature Discovery for Anomaly Detection
This project works on discovering the features necessary for automatic
feature discovery incorporated into anomaly detection.
Malicious Binary Detection
This project develops a machine learning framework for detecting
unknown malicious programs.
Component Model
Enterprise Model
