A System Architecture for Computer Intrusion Detection

An intrusion into an information system tries to compromise the security of the system. Intrusion Detection Systems (IDSs) attempt to detect these intrusions. This paper discusses what an IDS requires from the target information system and how the IDS detects intrusions into the target information system. Specifically, we describe the architecture of a distributed host-based IDS developed at the Information and Systems Assurance Laboratory, Arizona State University. At each host machine in the information system we install an event data collector that collects and filters data of events from the host machine. The Centralized IDS Server receives the processed data and sends them to Individual Technique Servers. These Individual Technique Servers use different intrusion detection algorithms covering both anomaly detection techniques and signature recognition techniques. Each Individual Technique Server determines an intrusion warning (IW) level for each event. The Centralized IDS Server then integrates the IW levels from the Individual Technique Servers into a composite IW level, and provides it to the security administrator.