Cooperating security managers: Distributed intrusion detection systems

Intrusion detection systems have been developed to address the break-in threat posed by ''hackers'' and the misuse threat posed by authorized users. Originally designed to address these threats as they apply to an individual host, the concept was eventually extended to a networked environment. Unfortunately the systems which have been implemented rely heavily on a centralized director or controller which coordinates the intrusion detection functions for the network. As the size of the network grows, the message-passing overhead associated with this approach can quickly saturate the centralized director resulting in performance degradation. This paper describes an approach to intrusion detection which places the intrusion detection responsibility for users on the host which the user first accesses. This approach results in a load leveling for messages across the network and avoids the chokepoint which exists with centralized controllers. The approach described is part of on-going computer security research bring conducted at Texas A&M University. Copyright (C) 1996 Elsevier Science Ltd.