[Last updated on: Sat Mar 25  3:23:02 1995]
 + ================================================ +
||  ___  ____    ___ _____________________________  ||
||   I   |   \  /    I N T R U S I O N ---------    ||
||   I   |   /  \__    D E T E C T I O N ------     ||
||   I   |  /      \     S Y S T E M S -------      ||
||  _I___|_/_______/     --------------------       ||
||                                                  ||
 + === M A I L I N G =========== L I S T ========== +

 Welcome to the Intrusion Detection Systems Mailing List. The list is
 a forum for discussions on topics related to development of intrusion
 detection systems.

possible topics include:

++++ techniques used detect intruders in computer systems and computer networks
 +   audit collection/filtering
 +   subject profiling
 +   knowledge based expert systems
 +   fuzzy logic systems
 +   neural networks
++++
=====  methods used by intruders (known intrusion scenarios)
 =  == cert advisories
 =  == scripts and tools used by hackers
 = ==
===
  ***  computer system policies
**    universal intrusion detection system
 ***  
*  **
 **

---- IRC Conferences ----

Additionally, discussion sessions can be organized for via IRC.
The intrusion detection channel on irc is #ids. As well as the
sessions you can drop in anytime, there maybe someone around to have a
chat with.  For those not familiar with irc I would suggest getting
the irc FAQ from usenet news.answers.

---- Using the Mailing List ----

Majordomo list management software is being used to run the forum.  If
you haven't used majordomo mailing lists before I suggest you obtain
the "help" file. The help file will give a description of the commands
supported by this version and the syntax required.

This is done by sending:
--> To: majordomo@uow.edu.au
--> Subject: (not important)
--> Body: help

All commands are handled by the above address. NOTE: mail for list is
not to be sent to the above address. Mail for the ids mailing list
should be directed to:

--> To: ids@uow.edu.au
--> Subject: please try give appropriate subject names
--> Body: message for the forum

Also information on subscribing and unsubscribing to the ids mailing
list can be retrieved by mailing to "ids-request@uow.edu.au" with body
"help".

If you need to discuss any additional ideas related to the services of
the mailing list you can send mail to the list maintainer by sending:

--> To: ids-owner@uow.edu.au

Please try only send mail in regard to problems or ideas related to
the running of the mailing list.

---- Introduction to Intrusion Detection Systems  ----

The growth of usage and reliance on computer systems has been
phenomenal, at no other time in history has any single development
progressed near to the explosive rate of computers. Today we see the
computer being adopted in almost every field, due to the increased
benefits in productivity associated to using computers. However this
rapid growth has often meant adopting strategies that are the quickest
to implement and simplest to maintain. Often we find systems have been
implemented without and concern for establishing sound security and
privacy strategies. Also the lack of human resources and funds has, in
a lot of cases meant that the system administrator job was shared
amongst users or given to the person with the most computer
experience, and therefore it is not uncommon to find that there is no
dedicated system security officer, it is usually just another
component for the already overworked system administrator.

There have been many stories of hackers reported in the news over the
years, some more true than others. We have seen this in the very
dramatized movies such as Wargames, where a student broke into a
computer system and nearly resulted in the destruction of the earth
from "Thermonuclear War". Because this bright young hacker had decided
that he "want to play a game ?". This cult movie alone, has been
accredited by some as inspiring the whole new generation of system
hackers or as the older generation of hackers prefer "crackers".
Then there was Sneakers, a movie that revolved around a tiger team
who's job was to test the security of banks by attempting to break
into them. Later they were hired to steal a powerful decryption box,
that was able to decipher all American encryption systems. Though
such movies are highly fictional [ mmmm *Clipper* - doh ],
there have been the all to real accounts.

One such account, is outlined in Cliff Stoll's "The Cuckoos Egg".
Stoll, had been asked to account for a 75c discrepancy in the system
accounting. Later, while tracking the down this discrepancy, he found
that someone was hacking into his computer system, by using other
peoples accounts.  Eventually, Stoll traced this hacker back to a
group of German hackers who were using his computers to break into US
military sites, looking for information they could sell to the KGB.

Another is the "Internet Worm", a program that spread across the
Internet, by exploiting somewhat known security holes. Later found to
have been released by a student from Cornell University (rtm). It was
predicted that the worm was responsible for some 4000 BSD and VAX
based systems coming to a halt, costing some US$10+ Million dollars in
lost computer time. These incidents, along with countless others
highlight the need for increased computer security.  However the
solution isn't a simple one, for "UNIX was not developed with
security, in any realistic sense, in mind".

Intrusion Detection Systems are a recent development in the effort to
overcome some of the classical problems inherent to computer systems,
these intrusion detection systems attempt to ensure correct usage of
the computer system by monitoring users from a system audit trail. The
early idea of detecting threats, by means of audit trail analysis was
purposed by J Anderson. In his report, Anderson categorized threats
into internal penetrators (which included masquerading and clandestine
users) and external penetrators. While most reporting has been about
the external computer "hackers", it is really the internal penetrators
that have been cause for most security incidents.

Later models were developed for performing intrusion detection by the use
of expert systems and subject profiling. The majority of early work being
carried out by Sytek and SRI International in the development of computer
algorithms and later the Intrusion Detection Expert System and Next-generation
Intrusion Detection Expert System, for the automatic analysis of computer
audit records for detection of abnormal or suspicious computer usage.
Many other systems have been and are still being developed, as
follows.

---- Intrusion Detection Systems ----

Saturne
Discovery
Network Auditing Usage Reporting System (NAURS)
Intrusion Detection Expert System (IDES)
Next-generation Intrusion Detection Expert System (NIDES)
Wisdom and Sense (W&S)
Compartment Mode Workstation (CMW)
Network Intrusion Detection eXpert (NIDX)
Haystack
Multics Intrusion Detection and Alerting System (MIDAS)
Network Anomaly Detection and Intrusion Repoter (NADIR)
Computer Watch (CW)
Clyde Digital Systems Audit (CDSA)
Information Security Officer Assistant (ISOA)
Minos
Time-based Inductive Learning (TIM)
Network Security Monitor (NSM)
Distributed Intrusion Detection System (DIDS)
Network Intrusion Coutermeasure Engineering (NICE)
Intrusion Detection Alert (IDA)
State Transistion Analysis Tool and Unix State Transistion Analysis Tool 
(STAT/USTAT)
SecureNet (SN)
Stalker
Polycenter Security Intrusion Detector (PSID)
Computer Misuse Detection System (CMDS)
Advanced Security audit trail Analysis on uniX (ASAX)
Security Administrator Tool for Analyzing Networks (SATAN)

---- Joining Requests ----

When joining the list I ask you to breifly introduce yourself, to give
an outline of your interest in intrusion detection systems. Whether
you are developing an intrusion detection system, or a system
administrator or student who is currently investigating or developing
a system. Additionally you might want to express some personal ideas
that you have about what you think an intrusion detection system
ideally, should be.


---- References & Papers ----

For those that are looking for some reference material I will be
posting a bibliography and some hints to finding some material, if you
have any material on the topic please inform the list or me. I would
like to use this for the development of a FAQ for the list.

Additionally if you have any electronic copies of papers on intrusion
detection systems in postscript, TeX/LaTeX or whatever then they might
want to post them to the list (if large please send it to me, and send a
brief notice to the list). Hopefully I will get around to setting up 
the ftp site to maintain archives of the list, list faq and any papers
on ids that are submitted to the list.

---- Important Note ----

One final note: if you want to mail to the list be sure to mail to:
ids@uow.edu.au

*Warning* if you are replying to mail from the list it will be directed 
to the list (due to Reply-to: fields being automatically inserted) 
not the author of the mail which may have been the intention. So reply
to the author of the message just edit the To: field before sending the
mail.

majordomo@uow.edu.au is for commands for list management functions, if
you are unsure of syntax just mail with "help" in body of message.

An ftp site and www home page are underconstruction for the list.

--=== RuF LiNuX SPi===--