Active Filtering and Adaptive Reconfiguration Technologies for Real Time Intrusion Detection in High Speed Data Streams

Period of Performance: 08/07/2000 - 08/07/2000

$730K

Phase 2 SBIR

Recipient Firm

Scientific Systems Company, Inc.
500 West Cummings Park Array
Woburn, MA 01801
Principal Investigator
Principal Investigator

Abstract

The overall objective of the proposed Phase II effort is the development and evaluation of a Reconfigurable Intrusion Detection System (RIDS) for real time operation in high-speed data streams (OC-12 and above). The Phase I effort developed and validated a comprehensive cost model for designing real time intrusion detection systems, which capture the design trade-offs involving the computational time of the detection rules, the accuracy of the rules, the hostility level of the environment and the damage costs/false alarm costs of the attacks. The development of RIDSs in Phase II combines: (1) advances in algorithm design centered on optimization theory, allowing for the adaptive reconfiguration of the intrusion detection rule sets; (2) the ability of performing firewall-like actions (active filtering) based on the cost model; (3) communication with SNMP-based Network Management Systems (NMSs), for exchange of parameters related to the cost model; (4) hardware implementation for operation at Gigabitps speeds. Georgia Tech will provide support in algorithm design and evaluation at the 100 Mbitps range. MCNC will lead the project tasks related to demonstrating the scalability of the algorithms into the OC-12 and above range. Aprisma Management Technologies (manufacturer of the SPECTRUM NMS suite) will support the integration and commercialization of the Reconfigurable Intrusion Detection System and the SPECTRUM NMS suite. Protecting institutional networks from attacks accounts for about 25 billion US dollars each year. It is estimated that 95 percent of the DoD communications pass through the National Information Infrastructure (NII) at some point. The proposed technology has the potential to provide the NII with a robust, real time defense line against general classes of security violations against its backbone and high-speed links.