Walter Heimerdinger

Information modeling for intrusion report aggregation

The paper describes the SCYLLARUS approach to fusing reports from multiple intrusion detection systems (ID-Ses) to provide an overall approach to intrusion situation awareness. The overall view provided by SCYLLARUS centers around the sites security goals, aggregating large numbers of individual IDS reports based on their impact. The overall view reduces information overload by aggregating multiple IDS reports in a rep-down view; and by reducing false positives by weighing evidence provided by multiple ID-Ses and other information sources. Unlike previous efforts in this area, SCYLLARUS is centered around its intrusion reference model (IRM). The SCYLLARUS IRM contains both dynamic and static (configuration) information. A network entity/relationship database (NERD), providing information about the sites hardware and software; a security goal database, describing the sites objectives and security policy; and an event dictionary, describing important events, both intrusions and benign; comprise the static portion of the IRM. The set of IDS reports; the events SCYLLARUS hypothesizes to explain them; and the resulting judgment of the state of site security goals comprise the dynamic part of the IRM.

Scyllarus intrusion detection report correlator and analyzer

Scyllarus is technology developed in the Argus project, part of the DARPA Cyber Panel program. Scyllarus uses a dynamic evidence aggregator (DEA) to combine results from multiple intrusion detectors to reduce the false alarm rate and decrease the time required to detect an intrusion. This technology includes Bayesian estimation networks and a calculus based on qualitative probability. The DEA relies upon a knowledge base called the Intrusion Reference Model, containing information about the protected network, its configuration, installed intrusion detection systems (IDSs), and related security goals.

DCT — A testbed approach to distributed systems research

The rationale and conceptual design 1s presented for the Distributed Computer Testbed (DCT), currently being developed at Honeywells Systems and Research Center. The DCT 1s a highly reconfigurable and Instrumented tool that will allow experimentation 1n a variety of distributed computing areas, ranging from performance evaluation of media access protocols to concept validation of distributed fault-tolerance strategies. Work 1s continuing on the detailed design and Implementation of DCT.

Architectural Considerations in Interfacing a Parallel Processor to the Air Traffic Control System

Interfacing of parallel processors and other special purpose computers to a general purpose host is a very important consideration in effectively using these processors. This paper describes how a parallel processor configuration is connected to a host machine, in this case an ARTS III(a) multiprocessor system. The constraints leading to the configuration are first presented. Then we give descriptions of the matched hardware and software interfaces which ensure that the full capabilities of the processors can be utilized and that the cost and risk of developing the system is minimized. This paper presents only one experience in designing a parallel processor to host computer interface, but some of the considerations encountered in this experience will be applicable to other such interface attempts.