|
EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances
by Dr. Peter Neumann & Phillip Porras.
From 1997 National Information Systems Security Conference. October, 1997.
Abstract
The EMERALD (Event Monitoring Enabling Responses to
Anomalous Live Disturbances) environment is a distributed
scalable tool suite for tracking malicious activity through and
across large networks. EMERALD introduces a highly distributed,
building-block approach to network surveillance, attack isolation,
and automated response. It combines models from research in
distributed high-volume event-correlation methodologies with
over a decade of intrusion detection research and engineering
experience. The approach is novel in its use of highly distributed,
independently tunable, surveillance and response monitors that
are deployable polymorphically at various abstract layers in a
large network. These monitors contribute to a streamlined
event-analysis system that combines signature analysis with
statistical profiling to provide localized real-time protection of
the most widely used network services on the Internet. Equally
important, EMERALD introduces a recursive framework for
coordinating the dissemination of analyses from the distributed
monitors to provide a global detection and response capability
that can counter attacks occurring across an entire network
enterprise. Further, EMERALD introduces a versatile application
programmers' interface that enhances its ability to integrate with
heterogeneous target hosts and provides a high degree of
interoperability with third-party tool suites.
BibTEX Entry
@inproceedings{emerald-niss97,
AUTHOR = {Phillip {A.} Porras and Peter {G.} Neumann},
TITLE = {{EMERALD:} Event Monitoring Enabling Responses to Anomalous Live Disturbances},
BOOKTITLE = {1997 National Information Systems Security Conference},
YEAR = {1997},
MONTH = {oct},
URL = {http://www.csl.sri.com/papers/emerald-niss97/}
}
Files
|
|