Intrusion Detection Systems.

The increasing diversity of threats to modern IT systems calls for novel security mechanisms that are able to cope with the high development pace of "attack technology". Merely patching vulnerabilies in a system is no longer enough, as exploits are often detected in the wild before an underlying vulnerability is disclosed. Intrusion detection systems (IDS) aimed at identifying various kinds of malicious activity are thus becoming a vital instrument for safeguarding against the "bleeding-edge" attacks.

Machine Learning for Intrusion Detection.

The classical signature-based approach, similar to traditional virus scanner, does not provide a suitable solution for detection novel attacks. An alternative approach based on machine learning has been developed in the project MIND implemented from 2004 to 2006 by Fraunhofer FIRST, Siemens AG, ITSO GmbH, SPIIRAS and idalab GmbH. The key feature of the MIND technology is its ability to learn from monitored network data how to differentiate between normal and anomalous packets. The latter, more often than not, constitute attack instances, possibly never seen before. Experimentation on real network traces obtained from popular network protocols, such as HTTP, FTP and SMTP, have demonstrated high accuracy of the learning-based approach with low false positive rates.

ReMIND: Aiming for Real-Time Capability.

Begun in 2007, the ReMIND project focuses on exploring the techniques required to achieve the real-time capability of self-learning IDS. Apart from technical solutions for processing speed and low memory utilization, the goals are to make detection as close in time to the arrival of packets as possible and to provide live feedback to existing defense mechanisms. The methods under investigation encompass first and foremost so-called progressive intrusion detection techniques, which examine incoming packets as soon as a network connection is established and, with increasing certainty, decide whether the connection contains intrusions. Furthermore, techniques for automatic generation of signatures are investigated that allow a considerable reduction of the IDS maintenance effort. Finally, techniques for determining the significance of a detected intrusion are explored so as to automatically initiate suitable countermeasures.