Detection of Intrusion Across Multiple Sensors

We have been developing an architecture for reasoning with multiple sensors distributed on a computer network, linking them with analysis modules, and reasoning with the results to combine evidence of possible intrusion for display to the user. The architecture, called MAITA, consists of monitors distributed across machines and linked together under control of the user and supported by a “monitor of monitors” that manages the interaction among the monitors. This architecture enables the system to reason about evidence from multiple sensors. For example, a monitor can track FTP logs to detect password scans followed by successful uploads of data from foreign sites. At the same time it can monitor disk use and detect significant trends. A monitor can then combine the evidence in the sequence in which it occurs and present evidence to the user that someone has successfully gained write access to the FTP site and is occupying significant disk space. This paper discusses the architecture enabling the creation, linking, and support of the monitors. The monitors may be running on the same or different machines and so appropriate communication links must be supported as well as regular status checks to ensure that monitors are still running. We will also discuss the construction of monitors for sensing the data, abstracting and characterizing data, synchronizing data from different sources, detecting patterns, and displaying the results.