| Program | Manufacturer | O/S | Program Type | Web Site | Program Description | COTS or GOTS | Network or Host Based |
|---|---|---|---|---|---|---|---|
| AID (Adaptive Intrusion Detection system) | Michael Sobirey, Birk Richter | UNIX | Rules Based | http://www-rnks.informatik.tu-cottbus.de/~sobirey/aid.e.html | AID has a client-server architecture consisting of a central monitoring station and several agents (servers) on the monitored hosts. The agents take the audit data that were collected by the local audit functions and convert them into an operating system independent data format. The audit data is then transferred to the central monitoring station and analyzed by an Rtworks based real-time expert system. The security officer can access relevant monitoring capabilities and generate security reports via a graphical user interface. The prototype AID supports Solaris 2.X. | N/A | Multihost |
| AIMS | US Army | UNIX | unknown | Not Available | The Automated Intrusion Monitoring System - has been in development since June 1995 for the US Army and is intended to provide local and "theater-level" monitoring of computer attacks. The system is currently installed at the Army's 5th Signal Command in Worms, Germany and will be used to monitor Army computers scattered throughout Europe. | N/A | ? |
| ALVA | Abha Moitra, General Electric | Solaris | Statistical | http://cs-www.ncsl.nist.gov/tools/tools.htm | Audit Log Viewer and Analyzer tool - is a real-time tool for detecting potential security violations in UNIX audit logs. The system gains some level of platform independence by analyzing command logs that are precomputed from the system audit logs. A command log is a record of the user initiated commands and is reconstructed from the system call events recorded in the audit log. A simple profile based on command, success/failure, frequency of occurrence, and the domain of the target files is used to define a baseline of normal behavior for each user. A single penalty value is kept for each user, and when the user crosses a predefined threshold, ALVA reacts by contacting the security administrator and increasing the auditing level for the user. ALVA was developed to run on a C2 security level environment. | N/A | Host |
| ASAX | Abdelaziz Mounji | Unix, Solaris 2.x. | Rules Based | http://cs-www.ncsl.nist.gov/tools/tools.htm | A package that allows you to analyze any form of Audit Trail by customizing the format description of your trail. Analyzing substantial amounts of data and extracting relevant information out of huge sequential files has always been a nightmare. Using highly sophisticated and powerful algorithms, ASAX tremendously simplifies the intelligent analysis of sequential files. ASAX's real power is unleashed by deploying its embedded, easy to use rule based language RUSSEL. Download from Coast FTP site at - ftp://coast.cs.purdue.edu/pub/tools/unix/asax | N/A | Host |
| ASIM | AFIWC and Trident Systems | Solaris 2.5 | Rules Based | Not Available | Automated Security Incident Measurement. Monitors network traffic and collects information on targeted unit networks by detecting unauthorized network activity. The ASIM real-time alarming capability is implemented using a pop-up window under the X Window System. ASIM can also detect one Network Layer activity: SATAN scans. | GOTS | |
| Autonomous Agents for Intrusion Detection | COAST Lab, Purdue Univ. | UNIX, Solaris 2.x | http://www.cs.purdue.edu/coast/projects/autonomous-agents.html | Current project being worked on at COAST by Mark Crosbie and Eugene Spafford. It is available to COAST sponsors. Contact COAST for further details. | N/A | Multihost | |
| CMDS | SAIC | Solaris 2.5, HP/UX, DG/UX, AIX | Rules Based | http://www.saic.com | Computer Misuse Detection System - Real-time audit reduction and alerting system. Uses an expert system and statistical profiling to analyze audit records. Uses attack signatures, both core and customized. One CMDS Analyst Toolkit is required for every 300 targets (workstations). | COTS | Multihost |
| ComputerWatch | AT&T Bell Labs | System V/MLS | Rules Based | http://www.bell-labs.com | The ComputerWatch Audit Trail Analysis Tool was developed by the Secure Systems Department at AT&T Bell Laboratories. The tool provides audit trail data reduction and limited intrusion detection capability. It is designed to assist the system security officer by reducing the amount of data that he/she views without the loss of any informational content. | COTS | Host |
| CSM (Cooperating Security Manager) | Gregory White, Eric Fisch, Udo Pooch | UNIX | Rules Based, Statistical | Not Available | The Cooperating Security Manager (CSM) is an intrusion detection system designed to be used in a distributed network environment. Developed at Texas A&M, this system runs on UNIX based systems connected to any size network. The goal of CSMs is to provide a system that can detect intrusive activity in a distributed environment without the use of a centralized director. A system with a central director coordinating all activity severely limits the size of the network. Instead of reporting significant network activity to a central director, the CSMs communicate among themselves to cooperatively detect anomalous activity. | N/A | Network |
| Cybercop | Network General Corp. | System comes with Server and Sensors | Rules Based | http://www.ngc.com | Network based, anomaly and misuse detection using real-time surveillance of network traffic. Recognizes over 170 kinds of network and host-based intrusions. System was designed with the help of WheelGroup developers of NetRanger. | COTS | Network |
| DIDS (Distributed Intrusion Detection System) | University of California, Davis, LLNL | SunOS 4.1.1. or later | Rules Based, Statistical | http://olympus.cs.ucdavis.edu/papers/sbd91.abs | The risk intrusion detection system that aggregates audit reports from a collection of hosts on a single network. Unique to DIDS is its ability to track a user as he establishes connections across the network. Possibly only available to U.S. AirForce. | N/A | Network |
| Discovery | TRW Information Services | Unknown | Statistical | Not Available | Discovery searches for frequently occurring customer service access patterns to develop a "user profile" of customer inquiries. Daily customer inquiries are analyzed for error-free-inquiries, which are compared with the established customer profiles. Records which fall within acceptable bounds (using a weighted algorithm) are dropped from further processing, all records outside these bounds are recorded for further processing, and an error rejection message is displayed. Utilizes a self-learning, data driven expert system for pattern recognition. Capable of reviewing 400,000 inquires per day, from a potential base of 120,000 customer access codes. | N/A | Host |
| Emerald | SRI International | unavailable | Rules Based | http://www.csl.sri.com/emerald/index.html | Monitors large distributed systems and networks. Is intended to detect local attacks and coordinated attacks such as distributed denials of service or repeated patterns of attack. Uses highly distributed, independently tunable, surveillance and response monitors that are deployable polymorphically at various abstract layers in a large network. Funding support for this research provided by DARPA. Emerald will be the successor system to NIDES. | COTS | Network |
| eNTrax | Cenrax Corp. | NT | Rules Based | http://www.centraxcorp.com | ENTRAX
is the first comprehensive security detection and response product focused on the Windows
NT centered information enterprise. Similar to the motion detectors and video cameras
connected to a warehouse's central guard station, ENTRAX monitors, detects, and responds
to attacks on the corporate enterprise and/or potential misuse of the valuable information
assets it maintains. ENTRAX can detect specific misuse on your network through event log
analysis, periodic configuration assessment, and configuration compliance. Misuse patterns
(also known as attack signatures), statistical trending profiles, and profile deviations
are used to alert you to many types of intrusion. Attack signatures include: Attack anticipation Log-in violations Hacker attempts Browsing of files File access violations Privilege abuse |
COTS | Host |
| Flight Jacket | Anzen | Solaris, BSD | Rules Based | http://www.anzen.com/products/nfr/base-flightjacket.html | The
Anzen Flight Jacket Base NFR(TM) Network Monitoring System is an integrated software
package containing the Network Flight Recorder (NFR) network monitoring enabling
technology, secure server and client software from DataFellows, and BSDI operating system
security enhancements. Included in the current base release are a set of pre-programmed NFR packages for network monitoring, operational analysis, and intrusion detection. |
COTS | Network |
| GrIDS | UC Davis | Unix | Rules Based | http://olympus.cs.ucdavis.edu/arpa/grids/welcome.html | Graphic Intrusion Detection System - GrIDS is designed to detect large-scale automated attacks on networked systems. In development, funded by ARPA. | N/A | Network |
| GUARDIAN | DataLynx Inc. | Most UNIX platforms | http://www | GUARDIAN has rapidly become the de facto standard in UNIX account and access control software, supporting most popular versions of UNIX with a common and intuitive interface across all platforms. GUARDIAN's features include a Motif-based GUI coupled with on-line help for creating and maintaining user accounts. GUARDIAN provides multi-tiered assignment of security privileges by allowing the system administrator to grant password change authority to a designated password manager. Similarly, GUARDIAN permits the system administrator to selectively grant 'security manager' and 'network manager' privileges to specified accounts for executing the GUARDIAN menu programs and updating accounts on remote hosts or domains. | COTS | ||
| ID-Trak | Internet Tools, Inc. | Win NT | Rules Based | http://www.internettools.com | ID-Trak is an advanced network-based intrusion detection system developed to enterprise specific mission-critical resources from internal or external intruders. A patent pending technique called Stateful Dynamic Signature Inspection (SDSI) is employed to monitor attack signatures. A knowledge base of over 200 attack signatures is currently distributed with ID-Trak. New attack signatures can be added to the knowledge base in real-time. Attack signatures can be customized in real-time also. | COTS | Network |
| IDIOT | Purdue University | unknown | Rules Based | http://www.cs.purdue.edu/coast/coast-tools.html | Intrusion Detection In Our Time - A demonstration implementation or IDIOT is available under a no-cost, limited-use license. Contact spaf@cs.purdue.edu | N/A | Host |
| INTOUCH INSA Network Security Agent | Touch Technologies, Inc. | N/A | Rules Based, Anomaly | http://www.ttisms.com/tti/nsa_www.html | This is a complete package. A turn-key system is delivered including a high-speed 64-bit RISC system. It is a network surveillance security tool that continuously scans user sessions for noteworthy or suspicious activity. The system reads all network packets, reconstructs all user activity, and scans the activity for possible computer-use policy violations. This system is basically a network sniffer. | COTS | Network |
| Intruder Alert 3.1 | Axent Technologies | Win NT, UNIX | Rules Based | http://www.axent.com | Intruder Alert 3.x (Intruder Alert) is a real-time, rule-based, centralized host detection system, which monitors audit trails throughout distributed computing platforms. Currently serving at facilities included in the Fortune 1000, Intruder Alert detects potentially hostile or anomalous "footprints" left behind in the audit trails, and classifies and responds to those footprints, based on the rules configured by security administrators. Intruder Alert detects intruders by rule or by exception. Intruder Alert is a rules engine, it processes the inputs it receives based on rules applied to the systems it is monitoring. Some rules may be designed to look at a specific sequence of events, called "footprints." If a particular footprint is detected, Intruder Alert can be programmed to respond, send notifications, and in some cases, fend off the attack prior to any extensive damage from occurring. | COTS | Host |
| ISOA (Information Security Officer's Assistant) | Planning Research Corp. | unknown | Rules Based, Anomaly | Not Available | PRC's Information Security Officer's Assistant (ISOA) is a state-of-the-art system for monitoring security relevant behavior in computer networks. The ISOA serves as the central point for real-time collection and analysis of audit information. When an anomalous situation is identified, associated indicators are triggered. The ISOA automates analysis of audit trails, allowing indications and warnings of security threats to be generated in a timely manner so that threats can be countered. ISOA allows a single designated workstation to perform automated security monitoring, analysis, and warning. | N/A | Multihost |
| JIDS | Lawrence Livermore National Lab | Not Available | Joint Intrusion Detection System - JIDS is a project that combines the best features from NSM (Network Security Monitor) and ASIM (Automated Security Incident Measure). Although differences exist between the three systems, they have substantially the same capabilities. JIDS can detect three Network Layer attacks: SATAN scans, TCP SYN attacks, and IP port scanning. JIDS has both command line and X user interfaces. Configuration is accomplished by editing files with a Unix editor. | ||||
| Kane Security Monitor | Intrusion Detection, Inc. | Windows NT, Novell NetWare | Rules Based | http://www.instrusion.com | Analyzes the network to provide an average baseline. Compares activity to baseline and notifies on out of normal activity. Also uses rule based for known attacks including denial of service. | COTS | Network |
| NADIR | Los Alamos National Labs | Unix-based | Rules Based | http://www.c3.lanl.gov/~gslentz/nadirTemplate.shtml | Network Anomaly Detection and Intrusion Reporter - NADIR is a rules-based expert system that automatically detects intrusion attempts and other security anomalies on its large supercomputer network. Large computing networks generate huge logs of security relevant activity. Analysis and correlation of significant incidents is impossible using manual techniques. NADIR is an application designed to automate the detection of security incidents. A client-server model is used, with Unix-based workstations running Sybase. This technology is currently being applied for fraud detection in electronic tax return filing for the IRS. It is also successfully being applied in the commercial sector to aid in credit card fraud detection. | GOTS | Host |
| NetRanger | Wheelgroup Corp. | Solaris 2.5.1 | Rules Based | http://www.wheelgroup.com/netrangr/1netrang.html | NetRanger provides large-scale, real-time network security visibility for an enterprise. The system consists of two elements: the NetRanger Sensor, located at network connection to be monitored, and a NetRanger Director, which is centrally located. Provides real-time reactions to an attack or real-time alarm. NetRanger Sensor stations require Pentium Pro 200 with Solaris x86, or UltraSPARC running Solaris v.2.5.1. Director Stations should be HP 725/100 or SunUltra machines. HP OpenView and Oracle licenses strongly recommended. | COTS | Network |
| NetStalker | Haystack Labs, Inc. | Unknown | Rules Based | http://www.haystack.com/netstalk.htm | NetStalker is a real-time analysis program that identifies network attacks and attempts to exploit protocol vulnerabilities. NetStalker does this by comparing information gathered from router event reports against Haystack Labs' extensive misuse signature database. When it detects a security breach, it immediately closes the connection from the offending host and alerts the system administrator via pager, SNMP, or email. | COTS | Network |
| NID | Lawrence Livermore National Lab | Solaris 2.5.1, SunOS 4.1.3, HP-UX | Rules Based, Anomaly | http://.ciac.llnl.gov/cstc/nid/nid.html | Network Intrusion Detector - NID is a suite of software tools that help detect, analyze, and gather evidence of intrusive behavior on Ethernet and FDDI networks using the Internet Protocol (IP). NID is directly connected to the local area network. It collects packets or statistics that cross a user-defined security domain. NID uses attack signature recognition, anomaly detection, and vulnerability risk model. NID is freely available to all U.S. Government Agencies and to contractors supporting the U.S. Department of Defense and Energy. NID v. 2.0.1 was released 5 Dec, 1997. | GOTS | Network |
| NIDES | SRI International | SunOS | Rules Based, Anomaly | http://www.csl.sri.com/nides/index.html | Next-Generation Intrusion Detection Expert System - Comprehensive intrusion-detection system that performs real-time monitoring of user activity on a set of target system computers. It's rulebase is customizable. Can run in either real-time or in batch mode for batch analysis of audit data. | COTS | Multihost |
| OmniGuard/ITA | Axent Technologies, Inc | Sun, MS, HP, IBM, Novel, Digital | Rules Based, Anomaly | http://www.axent.com/product/ita/ita.htm | OmniGuard/ITA (Intruder Alert) is used to detect intruders or abuse by analyzing data from the operating systems it supports. ITA is a rules engine. ITA not only looks at log files but can also monitor SNMP traps from other applications. ITA can also monitor file level accesses. | COTS | Multihost |
| PolyCenter Security ID | DEC | OpenVMS, Digital Unix, SunOS, Ultrix | Rules Based | http://www.digital.com/info/security/id.htm | Polycenter Security Intrusion Detection is a tool for detecting intrusions. Intrusions can range from copying a sensitive file over the network to password guessing. Polycenter continuously monitors a system for intrusions and stops intruders in their tracks. You can set up Polycenter to detect a wide range of security events including break-in attempts, execution of unauthorized privileged programs, and network file transfers. | COTS | Host |
| RealSecure | ISS | SunOS, Solaris, Linux, NT | Rules based | http://www.iss.net/prod/rs.html | RealSecure is an automated, real-time attack recognition and response system for your network. RealSecure acts like a sniffer, unobtrusively analyzing packets of information as they travel across the network. RealSecure is a distributed architecture lets you install attack monitor engines throughout your enterprise network, so you can see and stop attacks from inside as well as outside the network perimeter. | COTS | Network |
| SAINT | National Autonomous Univ., Mexico | N/A | Rules Based | http://www.super.unam.mx | SAINT (Security Analysis Integration Tool) - is a data analysis tool that can be used as a simple intrusion detection system to increase security on a UNIX system. By collecting data from many different sources into a single place, the tool allows for integrated analysis of the data for detection of problems that may otherwise go undiscovered. After SAINT homogenizes the data into a common data format, the events are analyzed to detect relationships that may indicate possible problems. The current version of SAINT produces all reports in Spanish. | N/A | Unknown |
| SecureNet PRO | MimeStar, Inc. | unavailable | Rules Based | http://www.MimeStar.Com/secmain.htm | SecureNet PRO is a complete network security system, monitoring your network. It is the only system available that combines several key technologies, including session monitoring, firewalling, hijacking, and keyword-based intrusion detection. SecureNet PRO uses a technique known as TCP hijacking. Hijacking allows the administrator to instantly seize the connection of any user on his local area network. It also is one of the only products that offers automatic keystroke monitoring of all connections passing through the network. | COTS | Network |
| Session Wall-3 | AbirNet Inc. | Windows 95/98, NT 4.0/5 | Rules Based | http://www.abirnet.com/security.html | SessionWall-3
Release 3 (V1R3) is designed to be used as a standalone or complementary product. It
includes a world-class intrusion detection and service denial attack detection engine, an
extensive URL control list of more than 200,000 categorized sites, a world-class
Java/ActiveX malicious applet detection engine as well as a virus detection engine. It
complements all popular "firewalls" to extend application-specific protection,
provide intrsion detection, and audit the current settings. SessionWall-3 also interfaces
with FireWall-1 using the OPSEC interface. SessionWall-3 continues to set the pace for comprehensive, yet easy to use network protection solutions. SessionWall-3 provides the surveillance, intelligence, controls, and interfaces required to protect a company's networks from both external and internal intrusion and abuses. SessionWall-3 achieves these capabilities by a combination of very sophisticated network surveillance, scanning, blocking, detection, response, logging, alerting and reporting capabilities into an easy to use integrated package. SessionWall-3 can be installed on any network attached Windows 95/98 or NT 4.0/5 machine and can process the network traffic from one or more Ethernet, Token Ring and FDDI local network segments. |
COTS | Network |
| SHADOW | SANS (Stephen Northcutt) | UNIX | http://www.nswc.navy.mil/ISSEC/CID/step.tar.gz | SHADOW which stands for SANS's Heuristic Analysis System for Defensive Online Warfare was developed by the SANS Institute, the Naval Surface Warfare Center, The Lawrence Berkeley Research Center, and the US Department of Energy. The system requires SSH and Apache Web Server. The system is based on tcpdump. | N/A | Network | |
| Stake Out | Harris Computer Corp. | Solaris | Rules Based | http://www.stakeout.harris.com | Stake Out is an intelligent agent designed to monitor TCP/IP based networks for suspicious behavior. It provides the ability to monitor a networks segment from a single location providing alert and logging capabilities for all systems attached. | COTS | Network |
| Stalker | Haystack Labs | SunOS, IBM, SCO, HP | Rules Based | http://www.haystack.com | Designed to detect and respond to UNIX system misuse. Compares logs of system activities against its database. A misuse detector analyzes the audit trail data looking for events that correspond to known attack techniques or known system vulnerabilities. A querying and reporting facility reduces the volume of audit trail data to find only the audit records of interests. The collection and storage of audit trails from multiple UNIX systems is managed on a single server by an audit control and storage manager. | COTS | Host |
| Swatch | Stanford University | UNIX | Rules Based | Not Available | Swatch (Simple WATCHer) is a program for UNIX system logging and management developed at the Electrical Engineering Computer Facility at Stanford University by Stephen Hansen and Todd Atkins. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based up patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur. | N/A | Multihost |
| T-sight | En Garde Systems Inc. | Windows 95/NT | Rules Based, Anomoly | http://www.engarde.com/software/t-sight/index.html | T-sight allows you to conduct real-time monitoring of all active connections and their subsequent transactions for IP protocols. Version 1.0 will be able to interpret and alarm connections for telnet, rlogin, ftp, smtp, rsh, and http. It allows playback of previous sessions. There are five detailed viewing options. Real time playback presents a real time view of the connection data as it would appear over a VT100 window. VCR playback is the same as above, but allows the user to rewind, fast forward, or pause the connection playback. Server view presents the data from the server's point of view while the Client view displays it from the client's view. Finally the packet dump display shows packet headers and flags as well as the hex dump of the packet data. A beta/demo of this program is available for download from the site. | COTS | Network |
| Tripwire IDS 1.5 | Visual Computing Corp | UNIX, LINUX, NT | http://www.tripwiresecurity.com:8080/inproducts.html | None available. Still in Beta testing | COTS | ||
| UNICORN (Unicos Realtime NADIR) | Los Alamos National Laboratory | UNIX | Rules Based | http://www.EnGarde.com/~mcn/unicorn.html | UNICORN is an expansion on the NADIR project. Unicorn will accept audit logs from Unicos (Cray Unix), Kerberos, and common file systems, then analyze them and attempt to detect intruders in real-time. Because Unicorn was designed for Kerberos and UNIX, the design can be applied to many other network configurations. Unicorn was presented at Supercomputing '95 in San Diego, CA. | Network | |
| USTAT (State Transition Analysis Tool for UNIX) | Univ. of California, Santa Barbara | UNIX | Rules Based | http://www.cs.ucsb.edu/TRs/TRCS93-26.html | USTAT is the first prototype of the STAT model, in particular for SunOS 4.1.1. USTAT makes use of the audit trails that are collected by the C2 Base Security Module of SunOS and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records. This program, originally developed by Koral Ilgun has been now ported to Solaris 2.x by Jonathan Wood. | N/A | Host |
| WebStalker Pro | Haystack Laboratories, Inc. | Solaris 2.5, IBM AIX 4.1, Windows NT | Rules Based | http://www.haystack.com/prodfr.htm | WebStalker-Pro manages and control access to the contents of your Web site by allowing only authorized individuals to modify the content files. WebStalker-Pro catches outsiders and insiders alike who may be attempting to modify your Web site, and alerts you or kicks them off. | COTS | Host |
| Page d'accueil Nous écrire By mail Nous envoyer des commentaires By la page de le Feed-Back |
Nouveautés
et... |
Le Sommaire de Kitetoa (orientation...) Sommaire général du site |
Les
rubriques! Les
livres publiés par Kitetoa |
Les
rubriques! (suite) Les Let-R-s Des Images On s'en fout! KitEcout' KessTaVu? -KiteToile Voyages |
Les dossiers : Precision [ZataZ] Le monde fou des Admins Defcon Le hack le plus bizarre Guerre de l'info Convention contre la cyber-criminalité Hack |
Questionnaire visant à améliorer le contenu de ce site si c'est possible et pas trop compliqué |
Rechercher sur le site ...et sur le Net Des liens et D'autres choses du Ouèb |