VenusIDS: An Active Database Component for Intrusion Detection

Active-databases are a budding technology where rule-based expert systems can be developed in tight integration with database management systems. This paper presents VenusIDS: an active database component of the Network Exploitation Detection Analyst Assistant (NEDAA) developed as an enhancement to the analysis layer of a two-layer distributed network intrusion detection system using the VenusDB active database system. The layers consist of a network layer and an analysis layer. The network layer contains probes on each subnetwork that sniff network traffic and forward interesting packets in real time to a central Oracle database. The analysis layer comprises this central database and the mechanism to identify and report intrusions. For active-database technology to form an effective basis for intrusion detection, it must be capable of processing network events at least as fast as the network probes produce and log them. Our performance results show that VenusIDS is more than fast enough to handle this rate. Further, VenusIDS is scalable in the number of rules and size of the underlying database. As context for the VenusIDS component, we begin by describing the application architecture and the VenusDB system, with emphasis on the particular features that are important to distributed intrusion detection. We follow that with a description of the VenusIDS component and its performance profile that enables near real time intrusion detection. We conclude with a discussion of future topics for active-database analysis layers. * This work was funded under Contracts N00039-D-0051,Task Order No. 0293 and Task Order No. 0273.