DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype Steven R. Snapp 1 , James Brentano 2 , Gihan V. Dias, Terrance L. Goan, L. Todd Heberlein, Che-Lin Ho, Karl N. Levitt, Biswanath Mukherjee, Stephen E. Smaha 1 , Tim Grance 3 , Daniel M. Teal 3 , and Doug Mansur 4 Computer Security Laboratory Division of Computer Science University of California, Davis Davis, California 95616 ABSTRACT Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The proliferation of hetero- geneous computer networks provides additional implications for the intrusion detection problem. Namely, the increased connectivity of computer systems gives greater access to outsiders, and makes it easier for intruders to avoid detection. IDS’s are based on the belief that an intruder’s behavior will be noticeably different from that of a legitimate user. We are designing and imple- menting a prototype Distributed Intrusion Detection System (DIDS) that combines distributed monitoring and data reduction (through individual host and LAN monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous network of computers. This approach is unique among current IDS’s. A main problem considered in this paper is the Net- work-user Identification problem, which is concerned with tracking a user moving across the net- work, possibly with a new user-id on each computer. Initial system prototypes have provided quite favorable results on this problem and the detection of attacks on a network. This paper pro- vides an overview of the motivation behind DIDS, the system architecture and capabilities, and a discussion of the early prototype. 1. Introduction Intrusion detection is defined to be the problem of identifying individuals who are using a computer system without authorization (i.e., crackers) and those who have legitimate access to the system but are exceeding their privileges (i.e., the insider threat). Work is being done elsewhere on Intrusion Detection Systems (IDS’s) for a sin- gle host [10 11 8] and for several hosts connected by a network [7 6 12]. Our own earlier work on the Network Secu- rity Monitor (NSM) concentrated on monitoring a broadcast Local Area Network (LAN) [3]. The proliferation of heterogeneous computer networks has serious implications for the intrusion detection problem. Foremost among these implications is the increased opportunity for unauthorized access that is provided by the network’s connectivity. This problem is exacerbated when dial-up or internetwork access is allowed, as well as when unmonitored hosts (viz. hosts without audit trails) are present. The use of distributed rather than centralized computing resources also implies reduced control over those resources. Moreover, multiple independent computers are likely to generate more audit data than a single computer, and this audit data is dispersed among the various sys- tems. Clearly, not all of the audit data can be forwarded to a single IDS for analysis; some analysis must be 1 Haystack Laboratories, Inc., 8920 Business Park Dr, Suite 270, Austin, TX 78759 2 Pacific Gas and Electric Company, 77 Beale St, Room 1871B, San Francisco, CA 94106 3 United States Air Force Cryptologic Support Center, San Antonio, TX 78243 4 Lawrence Livermore National Labs, Livermore, CA 94550