Intrusion Detection Paper

Document Sample
Intrusion Detection Paper Powered By Docstoc
					Network Security:

Intrusion Detection

    CS 4235 Spring 2006

         Asim Ali

       Zachary Allen

       Gregory Heim

         Thang Ly

       12 April 2006

       When attempting to secure a network, there is no magic bullet. No one product or

piece of software can even begin to solve all network security related problems.

Administrators must take a holistic approach to network security, implementing separate

controls for the separate vulnerabilities in their networks. They must educate users to

prevent them from compromising the network, install anti-virus software to identify and

remove malicious code from the network’s systems, and put up firewalls to block

malicious outsiders from entering the network.

       Intrusion detection fits into its own niche within network security. Of the three

major areas of security: prevention, detection, and response, intrusion detection assists

network administrators with detection (“Computer”). One of the most frightening

realities that a network administrator deals with is that, in many cases, he may not even

be aware that his network is being attacked (especially if the attacks are unsuccessful,

resulting in no symptoms). Given an infinite number of attempted attacks, at least one

will eventually succeed. Thus, intrusion detection is necessary to discover these

attempts, hopefully before they become an issue.

       This research paper will discuss three main areas of intrusion detection. First, it

will define intrusion detection, provide relevant background information on the subject,

and introduce the various categories of intrusion detection systems. Next, it will discuss

the historical circumstances which led to the development and evolution of intrusion

detection. Finally, it will compare and contrast the intrusion detection products available

in the market today, allowing the reader to find a system that they might use to protect

their own network.
Background Information

       In information security, we aim to preserve the confidentiality, integrity, and

availability of information systems. In the most general sense, intrusion detection can be

defined as “the act of detecting actions that attempt to compromise the confidentiality,

integrity, and availability of a resource (“Intrusion Detection”)”. There are two ways in

which intrusion detection can be performed, and both deal with the review of audit logs

of information system activity. It can be performed manually, which involves a person

examining the audit logs or perhaps other evidence for signs of an intrusion, or it can be

performed by a system that automatically reviews audit logs. Such a system is called an

intrusion detection system (IDS) (“Intrusion Detection”).

       Modern networks employ IDSs in order to detect unwanted manipulations to

systems, ranging from attacks made by “script kiddies” with automated tools to those

made by skilled, malicious hackers (“Intrusion-detection system”). These attacks may

include network based attacks against vulnerable services, data driven attacks on

applications, malicious code attacks (viruses, Trojan horses, or worms), and various host

based attacks (privilege escalation, accessing sensitive files, or unauthorized logins)

(“Intrusion-detection system”). IDSs are necessary to detect those types of malicious

network traffic and computer usage attacks that cannot be detected by traditional

firewalls (“Intrusion-detection system”). Whereas firewalls limit the access between

networks in order to prevent intrusions without ever signaling that at attack occurred,

IDSs evaluate suspected intrusions once they have occurred and then signal an alarm

(“Intrusion-detection system”). Firewalls also fall short in that they do not deal with
attacks that originate from within their own network (“Intrusion-detection system”).

Typically, an IDS has three main components: sensors, a console, and a central engine

(“Intrusion-detection system”). Sensors generate security events, the console controls the

sensors and monitors events and alerts, and the central engine records the events

generated by the sensors and determines if an alarm should be triggered (“Intrusion-

detection system”).

       There are two main locations in which an IDS can operate; it can either be host-

based or network-based (“Intrusion Detection”). A host-based IDS resides on a single

system, usually in the form of a software agent, trying to detect malicious activity that

may be occurring on the system on which it is installed (“Intrusion-detection systems”).

This agent does so by analyzing virus scanners, system activity, and system logs (system

calls, application logs, or file modifications) for evidence of possibly illegitimate activity

(“Host-based”). A host-based IDS focuses its efforts on the internals of a system, rather

than on the external interfaces of a system as a network-based IDS would do (“Host-


       A network-based IDS, by contrast, is an independent system, usually connected to

a hub or switch, which examines network traffic in order to identify possible intrusions

(“Intrusion-detection systems”). By reading all incoming traffic and looking for

suspicious patterns, a network-based IDS tries to detect common malicious acts that

propagate though networks such as port scans, denial of service attacks, and login

attempts by unauthorized users (“Network”). A network-based IDS does not, however,

limit itself to incoming traffic only; outgoing or local traffic can be monitored as well in

order to detect possible attacks by insiders (“Network”).
       In reality, most IDSs used in the real world are neither purely host-based nor

purely network-based. They are actually hybrids which combine the approaches used by

both types. A hybrid IDS combines data from a host agent with network information in

order to form a comprehensive view of an entire network (“Intrusion-detection systems”).

       Besides their classification by location, IDSs can also be classified by how they

actually detect intrusions. A signature-based IDS (also known as a misuse detection IDS)

identifies traffic patterns or application data presumed to be malicious by matching the

data it monitors against a set of “known” attacks (“Intrusion Detection”). It works much

like anti-virus software in that it compares the information it gathers to a large database

of previously documented attack “signatures,” looking for specific attacks (“Intrusion-

detection systems”). In this sense, a signature-based IDS is only as good as its list of

attacks which it is able to detect (“Intrusion-detection systems”).

       An anomaly-based IDS, on the other hand, has no predefined set of attacks for

which it checks. Instead, it compares the information it gathers to a “normal” baseline

based on other, previously gathered information (“Intrusion Detection”). Through self-

learning, an anomaly-based IDS defines for itself what a normal system state is by

statistically analyzing characteristics such as traffic load, breakdown, protocol, typical

packet size, etc (“Intrusion-detection system”). Once this baseline has been defined, it

then classifies each piece of information it examines as either normal (falling within

some preset range around the baseline) or anomalous (outside of that range)

(“Anomaly”). Whereas a signature-based IDS is quite limited in what it can detect, an

anomaly-based IDS can detect any type of misuse that is not considered normal system

operation (“Anomaly”).
       Once an IDS has determined that an intrusion has occurred, there are several

actions that it can take. Generally, intrusion detection does not include the prevention of

intrusions, and taking action to stop an intrusion or prevent it from happening again is

outside of the scope of intrusion detection (“Intrusion Detection”). When an IDS detects

an intrusion, it usually logs the relevant information to some kind of database, and then

perhaps generates an alert in the form of an e-mail or pager message to let the appropriate

party know what has occurred (“Intrusion Detection”). Most IDSs operate in this

manner, and are known as “passive” systems (“Intrusion-detection system”). However,

there are “reactive” systems which take actions upon detecting an intrusion such as

logging off an unauthorized user or reconfiguring a firewall to block traffic from a

malicious attacker (“Intrusion-detection system”).

A Bit of History

       In 1972, James P. Anderson realized that several problems existed with network

security audit logs. Back then, logs existed as large amounts of dot-matrix fan-folded

paper which was not easily analyzable for intrusions (Innella). In 1980, Anderson was

hired to improve the security auditing and surveillance capability of a company’s

systems. During the investigation, Anderson suggested that audit trails could be useful

for tracking misuse and understanding user behavior (Innella). Anderson wrote his

findings in the groundbreaking article “Computer Security Threat Monitoring and

Surveillance,” and the concept of automated intrusion detection was born.

       In his article, Anderson made many suggestions for ways to improve monitoring

computer usage in order to detect misuse and intrusions. At the time, the customer kept
audit trails on a weekly or monthly basis. The data was dumped into a single file from

which various reports (primarily for accounting purposes) were produced. After

producing these reports, the customer transferred all data to a tape, and had several years

of raw data in this format. The audit trail data was mostly distributed to customer data

processing personnel (rather than IT), and in general, the users of a company database or

application did not receive any relevant security audit trail data. The company’s audit

data could detect unauthorized access based on user identification. However, the system

was flawed; it did not take into account users who operated at a level of control that

bypassed application level auditing. By gaining access to an account, a hacker could

escape detection, and even a valid programmer could abuse their privileges and access

lower level database files without leaving a trace. Since most operating systems back

then lacked built-in access control mechanisms, these logs also placed a heavy burden on

the customer’s system. Audit trails were rarely complete enough to support the needs of

the security officers (Anderson).

       Anderson divided malicious attacks into three categories: external penetration,

internal penetration, and misfeasance. The categorization of an attack was based on

whether or not an attacker had authorized access to a computer they were penetrating and

whether or not that attacker had access to the resources that they were accessing.

External penetration occurs when the attacker has neither access to the computer nor the

resource. Internal penetration occurs when the attacker has gained use of a machine, and

has thus overcome a major barrier to unauthorized access. Misfeasance involves the

misuse of authorized access both to the system and to its data (Anderson).
       In order to detect abnormal use, Anderson proposed creating a profile of the

characteristics of normal computer use for legitimate users doing legitimate tasks. A

user’s profile included both the list of programs they usually ran as well as the data files

that entered their programs. Also, several time parameters were included, such as the

time of day a job was run, the day of the week the job was run, and the amount of time

the job took to run. Abnormal behavior could then be detected by viewing the variability

in these time parameters, usually by viewing the sum of the squares of the absolute values

of the difference between average time for a user and a measured time with the formula,

score  i 1 Ai  Bi . This formula showed whose login patters exhibited the greatest
             24       2

variability, which may have been the result of illicit use. If a parameter ever fell more

than 2.58 standard deviations from the mean in either direction, this would be reported as

an exception (Anderson). Obviously, these ideas very closely resemble an anomaly-

based IDS.

       In 1983, Dr. Dorothy Denning of SRI International began working on a new IDS

for the government. Denning and Dr. Peter Neumann created the Intrusion Detection

Expert System (IDES), the first functional IDS for a Navy SPAWAR contract. The

system’s goal was to analyze audit trails from government mainframe computers and to

create profiles of users (Innella). In 1987, Denning published “An Intrusion-Detection

Model” based on the hypothesis that security violations can be detected by monitoring a

system’s audit records for abnormal patterns of system usage.

       In her paper, Denning theorized that four factors motivated the development of a

real-time intrusion detection system. First, security flaws in existing systems allowed

intrusions and finding and fixing all these deficiencies was not feasible for technical and
economic reasons. Second, existing systems had flaws that could not be replaced by

more secure systems due to important features which only existed in the less secure

systems. Third, creating a system which was completely secure was almost impossible.

Lastly, secure systems were still open to misuse and abuse by insiders (Denning).

       Denning’s model borrowed a lot from Anderson’s in that it was highly

statistically based. Her model included six main components: subjects (who initiate

activity), objects (the resources in the system: files, commands, devices, etc.), audit

records (created by the system and based on the actions of the subjects), profiles

(structures which characterize the subject’s behavior), anomaly records (created when

abnormal behavior is detected), and activity rules (actions taken when certain conditions

are met). The model worked as a rule-based pattern matching system which observed

standard operations on the system, looking for abnormal usage (Denning).

       Activity profiles for a subject’s behavior were recorded in terms of a statistical

metric and a model. The metric represented a quantitative measure calculated over a

period of time. Types of metrics included the event counter (number of audit records

satisfying some property), interval timer (the length of time between two related events),

and resource measures (the quantity of resources used by an action). The statistical

models contained metrics and determined if a new observation was abnormal compared

with previously found values (Denning).

       These two groundbreaking papers set the stage for future progress in the realm of

intrusion detection. In 1989, Haystack Labs became the first commercial vendor of IDS

tools. Among these was Stalker, a host-based, signature-based IDS (Innella). During the

early 1990’s, Science Applications International Corporation (SAIC) introduced
Computer Misuse Detection System (CMDS), a host-based IDS (Innella). In 1990, Todd

Heberlein introduced the ideas of network-based intrusion detection and distributed IDSs

(dIDS) (Innella). That same year, the Air Force's Cryptologic Support Center created the

Automated Security Measurement System (ASIM) which monitors network traffic on the

US Air Force's network. ASIM was designed for scalability and portability, issues that

had previously inhibited network-based IDS products. It was the first hybrid IDS, a

system that combined both hardware and software (Innella). In 1994, the Wheel Group

introduced NetRanger, the first commercially viable network-based IDS (Innella).

       In 1998, Presidential Decision Directive 63 (PDD-63), “[set] a goal of a reliable,

interconnected, and secure information system infrastructure by the year 2003” (Clinton)

bringing information security into the public eye and prompting more companies to

produce IDS products. Within a few years, companies such as ISS, Cisco, Symantec and

others created their own IDS products or merged with companies that sold them (Innella).

Product Comparison

       Due to the increasing concern over information security, many companies have

introduced a wide variety of IDS products. Obviously, due to the multitude of products

currently on the market, this report can only cover a small portion of them. Instead, it

will concentrate on products from major, well-trusted companies and extremely popular

systems, rather than smaller companies or systems for specialty networks or hosts.

       Cisco, one of the leading manufacturers of networking equipment, sells IDS

products. The Cisco Intrusion Detection System has the ability to simultaneously protect

multiple network subnets through the support for multiple sniffing interfaces, thereby
delivering up to five sensors in one. The Cisco Secure IDS Sensors incorporate user-

defined feedback, so that the system can automatically eliminate specific connections

identified with the unauthorized activity. Only the unauthorized traffic from internal

users or external intruders will be quickly and effectively removed. By instantly

changing Access Control Lists (ACLs) of Cisco routers as unauthorized activity is

detected, Cisco Secure IDS can dramatically improve security posture (“Cisco


       In addition to the Cisco Intrusion Detection System, Cisco offers a broad family

of products, all of which follow an inverse relationship between their price and the

amount of traffic that they can handle. Smaller businesses can pay less for a system that

handles less traffic, while larger businesses can spend more for a system that handles

more traffic. For smaller businesses, Cisco offers the Cisco Secure IDS-4210 Sensor and

Cisco IDS-4215-K9 Sensor which handle 45Mbps and 80 Mbps traffic respectively.

Either can be easily purchased for less than $8,000. Larger businesses would be more

interested in the Cisco IDS-4235-K9 or Cisco IDS-4250-TX-K9 which handle up to 200

Mbps and 500Mbps traffic and sell for less than $19,000 and $25,000 respectively

(“Cisco Intrusion”).

       Symantec, an information security company famous for its anti-virus software,

produces Symantec Host IDS. Symantec Host IDS protects information assets with a

complete library of intrusion detection signatures, and includes regular updates from

Symantec (“Enterprise”). The basic system sells from around $280 to $330 per copy

(“Symantec Host”). Symantec also offers a few add-ons. ManHunt Smart Agent allows

IT administrators to feed events from an IDS into ManHunt in order to monitor and
analyze the events from the ManHunt administration console. This add-on is available

for Symantec Host IDS, as well as several other IDS systems (“Symantec Announces").

       McAfee, another company famous for anti-virus software, produces the McAfee

IntruShield. The product family includes IntruShield 4000, IntruShield 2600, and

IntruShield 1200 scaling from 100’s of Mbps to multi-gigabit bandwidth rates. Each

level of IntruShield is available in two styles. IntruShield Global Manager provides

global intrusion prevention system (IPS) deployments of up to several hundred sensors.

IntruShield Manager is suited for distributed deployments supporting up to six sensors.

Both systems feature virtual IPSs and an internal firewall to protect from overlapping

hybrid attacks. IntruShield also uses selective blocking attacks that can be user-initiated

or automated. The sensors can selectively block malicious packets or sessions (without

affecting legitimate traffic), terminate offending sessions, reconfigure firewall ACLs, log

packet sessions, and generate notifications by e-mail, PDA, and pager (“McAfee

IntruShield 1200”).

       Different products in the IntruShield family are oriented towards businesses of

varying sizes. For small business use, McAfee makes the IntruShield 1400 and 1200.

They can handle up to 200 Mbps of traffic on up to 4 x Fast Ethernet Ports (“McAfee®

IntruShield® Network”) and sell for around $6,000 to $12,000 (“McAfee IntruShield -

Froogle”). Larger business can choose from IntruShield 2700, 3000, 4000, and 4010,

which vary from 600 Mbps to 2 Gbps and have between 4 and 12 ports. Each product is

available in copper and fiber (“McAfee® IntruShield® Network”).

       Tripwire, Inc., a leader in auditing software, concentrates on two IDS products.

Tripwire for Servers is designed for smaller organizations. It monitors servers and
desktops and allows management of thousands of installations. The system uses Secure

Sockets Layer (SSL), a security protocol that supplies authentication and data encryption

protection for every communication link between the Tripwire-equipped servers and the

Tripwire Manager. It also allows the user to create a “golden build” state of proper use

for comparison and provides multi-vendor support for monitoring servers and detecting

changes (“Change”). Tripwire for Servers sells for around $9,000 (“”).

Tripwire Enterprise is designed for larger organizations. It automatically directs third-

party tools to immediately restore changed systems to their trusted state and prides itself

on its thorough change archive. The system produces customizable reports and

dashboards to document the effectiveness of changes in management processes and

provides security for “millions of elements” including files, directories, registry settings,

directory server objects, and configuration files (“Tripwire”). Tripwire Enterprise costs

$3,999 for the server software and $595 per agent and $125 per agentless device on

which it is placed (“Review”).

       Enterasys Dragon is well known for their wide variety of products for both host

and network IDSs. The Dragon® Host Sensor and Web Server Intrusion Prevention

determines if content has been changed via an MD5 hash. It also analyzes log files or

directories against signature policy and monitors for opened TCP and UDP ports for

protection against backdoor services. It detects suspicious privilege escalations and other

signs of kernel-level compromise and provides an open and easy interface for custom

module development (“Enterasys Dragon® Host”). The system costs anywhere from

$540 to $625 for one user license (“Dragon”) or $47,100 for a 100-use license (“Buy”).

Dragon Network Defense consists of three parts: Dragon Security Command Console, a
security information manager (SIM), Dragon Behavioral FlowProcessor, and Dragon

Behavioral Flow Sensor. Different models of the three parts can be chosen to customize

system to allow organizations to customize to their specific needs. The system also

provides a “before, during and after” view of vulnerabilities and uses flow-based

architecture for granular monitoring and data collection. It detects zero day attacks,

worms, viruses, DDoS attacks and other threats before they can spread with more than

10,000 signatures and events mapped to Dragon (“Enterasys Dragon® Network”).

         Sourcefire is an IDS from the creators of Snort (“SOURCEFIRE”). It provides

line speeds from 3 Mbps to 4 Gbps (“SOURCEFIRE”). The hardware, software, and

operating system are optimized for mission-critical applications with a latency of

approximately 100µs (“Sourcefire Network”). Sourcefire provides protection for VoIP

(“Sourcefire Network”). Sensor throughput varies between models (“SOURCEFIRE”).

The models range from the IS500, with a throughput of 5 Mbps and a price tag of $3,500,

to the IS5800, with a throughput of up to 8 Gbps and a cost of $78,500



         As with any technology, there are several issues concerning IDSs that must be

considered. In security, one of the fundamental tradeoffs is that of security versus

performance. As we make a system more secure, we inevitably hinder performance, and

IDSs are no exception to this rule. Even from their inception, Anderson noted that as the

number of legitimate users of a system grows, an IDS will begin to log an extremely high

amount of login information, consuming system resources such as CPU time and disk
storage space (Anderson). If we attempt to remedy this problem by limiting the amount

of login audit data we collect, the IDS becomes less effective, hindering security

(Anderson). Network-based IDSs suffer greatly from this performance problem. During

a flood-type attack (or any period of high traffic), most network-based IDSs become so

busy capturing packets that they cannot readily analyze them to deduce that a denial of

service attack is occurring (Bace). An attack can sometimes cause the IDS to crash,

rendering it ineffective. If the IDS does in fact detect the attack and drop packets in order

to keep itself online, we lose security because we will never be able to analyze the

dropped packets (Ranum).

       IDSs also tend to suffer from a problem with false positives (McClure). It is

desirable to minimize the number of false positives that are triggered, as they are

extremely bothersome. Whenever an IDS generates an alert, the person responsible for

receiving alerts has to respond, perhaps taking time away from other important work.

These false alarms greatly reduce productivity. During its initial period of installation, an

anomaly-based IDS has to analyze a large amount of information in order to form its

baseline, often requiring extensive “training sets” of system event records in order to

characterize normal behavior patterns (Bace). During this initial training phase, the IDS

produces many false positives (“Understanding”). However, after training, even

legitimate users (and networks) can often exhibit behavior which is “abnormal (Bace).”

The very nature of a job may be irregular; an employee may work on a problem for

varying amounts of time and at all times of the day, making it very hard for the IDS to

determine what normality is (Anderson). Thus, although false positives can be
minimized over time, they can never be reduced to zero, and there will always be some

annoyance for security personnel.

       Besides issues with performance and false positives, several smaller issues with

IDSs also exist. First, consider what happens when an IDS logs a series of invalid login

attempts. Someone reviews the logs, and tries to determine if an outside attacker is

attempting to crack into the network. But what if a legitimate user just mistyped his

password several times? The log reviewer then sees several close mutations of a

legitimate login in the audit log, and may be able to deduce the actual password for an

account to which he is not authorized (Anderson).

       Next, consider a case in which host-based IDSs are installed for use in a

distributed system. They are difficult to manage, as individual differences between

systems require administrators to customize each installation (Bace). Besides sapping the

CPU time and eating up storage space on their host system, they make tempting targets

for attackers as well. Host-based IDS are susceptible to denial-of-service attacks, as they

generally focus more on application data and system calls than network packets. Once

the IDS has been disabled via a denial-of-service attack, the attacker can then hack into

the system undetected (Bace).

       Also, IDSs cannot read encrypted traffic (McClure). Although they may be able

to monitor the flow of packets throughout a network, IDSs cannot actually discern the

upper-layer contents of most of those packets. If a malicious user launches at attack at

the application layer, all of the packets he sends will remain encrypted until they reach

the application layer of the target host. IDSs generally do not monitor application data as

closely as system data, and thus they are more vulnerable at the application layer. As is
the case with a denial-of-service attack, an application level attack may disable the IDS,

leaving the computer open for hacking (Bace).

       There is even some debate over whether or not IDSs are effective at all. All an

IDS can do if tell you that you have been attacked. It cannot actually back-track the

attacker, which would be very difficult anyway for even the most technically skillful

expert (Howarth). It cannot determine if the attack was successful, only that it occurred

(Bace). Even Anderson noted that some malicious users (particularly insiders) can be

nearly impossible to detect, as they possess correct usernames and passwords and never

login at inappropriate times (Anderson).


       Intrusion detection fills a needed role in network security. Most companies today

have to worry more about corporate espionage and internal spies that random outside

attacks, which are much easier to detect and prevent. Anderson and Denning realized

that outside attacks as well as internal attacks and internal misuse could all be detected by

analyzing already existing audit log data. Because of their papers, there exists today a

great variety of intrusion detection systems, all of which alert network administrators

whenever anything suspicious occurs which may be an attack.

       Recent commercial and political interest in information security, as emphasized in

PDD-63, has encouraged a commercial explosion of intrusion detection products. These

products cater to a wide range of customers with different needs and different budgets.

However, IDSs are by no means a panacea for network security. They provide one piece

of the puzzle, a means by which to detect attacks that slip through other network
defenses. Not only must they be combined with other controls, but they have their own

slew of issues due to their relative infancy. We are confident, though, that future research

will come up with solutions to these issues, and IDSs will become as commonplace in

networks as firewalls and backups.
                                    Works Cited

Anderson, James P. “Computer Security Threat Monitoring and Surveillance.” History of

       Computer Security. 26 Feb. 1980. Computer Security Resource Center. 18 Mar.

       2006 <>.

“Anomaly-based intrusion detection system.” Wikipedia: The Free Encyclopedia. 21

       Aug. 2005. 14 Mar. 2006 <


Bace, Rebecca, and Peter Mell. “Intrusion Detection Systems.” NIST Computer Security

       Special Publications. Nov. 2001. National Institute of Standards and Technology.

       18 Mar. 2006 <>.

“Buy Enterasys DSHSS7-100-LIC at Provantage.” Provantage. 24 Mar. 2006


“Change Auditing, Server Monitoring & Security for System Availability | Tripwire for

       Servers.” Tripwire. 24 Mar. 2006 <


“Cisco Intrusion Detection System Appliance and Module Installation and Configuration

       Guide.” Cisco Systems, Inc. 2004. 4 Mar. 2006 <



       (PDD 63).” 22 May 1998. 8 Apr 2006 <


“Computer insecurity.” Wikipedia: The Free Encyclopedia. 8 Apr. 2006. 10 Apr. 2006


Denning, Dorothy. “An Intrusion-Detection Model.” IEEE Trans. on Software Eng. Feb.

       1987. IEEE. 18 Mar. 2006 <


“Dragon® Host Sensor and Web Server Intrusion Prevention - Froogle.” Froogle. 4 May

       2006 <



“Enterasys Dragon® Host Sensor and Web Server Intrusion Prevention.” Enterasys. 24

       Mar. 2006 <>.
“Enterasys Dragon® Network Defense.” Enterasys. 24 Mar. 2006 <http://>.

“Enterprise: Products & Services - Symantec Corp.” Symantec. 24 Mar. 2006 <http://>.

“Host-based intrusion-detection system.” Wikipedia: The Free Encyclopedia. 26 Jan.

       2006. 14 Mar. 2006 <


Howarth, Fran. "Enterprises under attack - the role of intrusion prevention technologies."

       IT-Director. 4 Mar. 2006 <


“immixTechnology - GSA Schedule Pricing.” immixTechnology. 24 Mar. 2006 <http://>.

Innella, Paul. “The Evolution of Intrusion Detection Systems.” SecurityFocus. 16 Nov.

       2001. 29 Mar. 2006 <>.

“Intrusion Detection.” Wikipedia: The Free Encyclopedia. 3 Jan. 2006. 4 Mar. 2006

“Intrusion-detection system.” Wikipedia: The Free Encyclopedia. 6 Mar. 2006. 14 Mar.

       2006 <>.

“McAfee IntruShield 1200, 1400, and 2700 Network IPS Appliances.” McAfee. 4 Mar.

       2006 <


“McAfee IntruShield - Froogle.” Froogle. 4 Mar. 2006 <



“McAfee® IntruShield® Network IPS Appliances.” McAfee, Inc. 2006. 4 Mar. 2006



McClure, Stuart, and Joel Scambry. "Once-promising intrusion detection systems

       stumble over a myriad of problems." InfoWorld (2005). 4 Mar. 2006 <http://>.

“Network intrusion detection system.” Wikipedia: The Free Encyclopedia. 31 Jan. 2006.

       14 Mar. 2006 <

Ranum, Marcus J. "Intrusion Detection: Challenges and Myths." Window

       (2002). 4 Mar. 2006 <


“Review: Tripwire Enterprise provides robust, intrusion reporting.”

       4 Mar. 2006 <


“Sourcefire Network Security - Intrusion Sensor.” Sourcefire. 24 Mar. 2006 <http://>.

“SOURCEFIRE PRODUCT OVERVIEW: Sourcefire 3D System.” Sourcefire. 4 Mar.

       2006 <


“Symantec Announces ManHunt Smart Agent for Symantec Host IDS.” Symantec. 24

       Mar. 2006 <>.

“Symantec Host IDS - Froogle.” Froogle. 4 Mar. 2006 <


“ - Tripwire for Servers/Manager 4.” 24 Mar. 2006



“Tripwire Enterprise | The Premiere Change Auditing Solution for IT Infrastructure.”

       Tripwire. 24 Mar. 2006 <


"Understanding Intrusion Detection Systems." Niscc Technical Note 19 Nov.-Dec. 2003.

       18 Mar. 2006 <