First International workshop on the
Recent Advances on Intrusion Detection
Marc Dacier, Kathleen Jackson
IBM Zurich Research Laboratory
CH-8803 Rüschlikon, Switzerland
RAID'98 has taken place in Louvain-la-Neuve, Belgium, on 14-16 September 1998. RAID'98 has be held in the same location as CARDIS'98 (The Research Conference about Smart Cards, http://www.dice.ucl.ac.be/cardis98) and ESORICS'98 (European Symposium On Research In Computer Security, http://www.dice.ucl.ac.be/esorics98), at the same time as the former and just prior to the latter.
RAID'98 was the first in an anticipated annual series of international workshops that will bring together leading figures from academia, government, and industry to ponder the current state of intrusion detection (ID) technologies and paradigms from the research and commercial perspectives. Its aim is to further progress in intrusion detection by promoting the exchange of ideas among researchers, system developers, and users and by encouraging links between these groups.
We had received 52 proposals. The 17 Program Committee (PC) members have reviewed each of them. 35 papers and 2 panels have been accepted. 20 minutes were allocated for each presentation. This proved to be very short due to the, very often, lively discussions generated. On the other hand, these short presentations have helped in creating a very dynamic environment and in fostering interactions between people during the breaks as well as during the various social events.
The PC decided to provide on-line proceedings rather than hard copies. Slides of many presentations were available before the workshop on the RAID web site (http://www.zurich.ibm.com/~dac/RAID98). Since then, we have enriched it with new documents provided by the authors. A few of them have written and delivered a full paper, others have sent us a soft version of their presentation, others have simply indicated pointers (URLs) to their work.
Thanks to our two sponsors, the IBM Emergency Response Service (http://www.ers.ibm.com) and the Joint Research Centre of the EC (Institute for Systems, Informatics and Safety, http://ntsta.jrc.it), we have been able to offer financial support to a couple of students in order for them to attend the workshop. As a counterpart, we have asked them to act as scribes during the two panels. Their notes, now available on the RAID site, provide valuable summaries of the various topics that have been discussed.
The most outstanding RAID’98 contributors, as determined by both attendees and the Program Committee, will be invited to submit an analogous (to their presentation) formal paper to a special RAID’98 edition of the refereed journal Computer Networks and ISDN Systems. Therefore, we have asked all the participants to rank the content of each RAID presentation. The results will be tallied, and those with the highest score will be invited to submit papers, which will of course still be subject to review for quality and content.
More than 130 participants attended RAID ’98. Almost 50 % of them were coming from outside Europe, reflecting a truly international community. Almost all the large research institutions and universities, active in the field, were represented. Also, it is worth noting that many attendees were coming from the industry, not only from companies selling ID products but also from companies interested in finding ID solutions.
Offering a fair summary of so many papers in a page or two is a very challenging task. It is inevitable to be influenced by our own vision of the domain. What follows must be understood as being the sole viewpoint of the authors without necessarily reflecting those of other attendees. Hopefully, what appears below should not be too different from what the majority of the attendees would have agreed upon. In any case, we will post to the RAID web site all the other workshop reports that people will be kind enough to send us.
Talks presented at RAID may be gathered into 3 groups defined as follows:
The three groups will be briefly discussed in the next subsections.
Various speakers have presented the results of their own hands-on experiments with ID solutions. They have presented their technical weaknesses and/or advantages but non-technical issues have also been raised. The problems of using legal evidences coming from ID tools were one of those. Also, the directions taken by the market, seeing ID as a service rather than as a packaged product, have been considered. Last but not least, the future of existing ID products have been presented.
Many papers have proposed new applications of, sometimes sophisticated, techniques to detect intrusions. The two main families of methods have been covered during the workshop: misuse detection and anomaly detection. The misuse detection approach aims at detecting well-known signatures or symptoms of attacks. At the contrary, the anomaly detection approach aims at detecting deviations from a well-defined normal behaviour of a system. Genetic algorithms, Self-organising Maps, Neural Nets, immune systems, relational databases, were among the techniques presented at RAID98.
Host-based approaches, where the IDS is looking at information provided by a given host, and network-based approaches, where the IDS is looking at packets passing on the network, were both equally studied during RAID98.
Various speakers have addressed open issues that IDSs will have to tackle in the future. Among others, we may cite the following ones:
All these questions, and many others, have generated lively discussions among the participants. Solutions have been proposed but it is clear that a lot of work remains to be done.
The first panel was about the various existing standardisation bodies. What are standards, what is their general value, and why should the intrusion detection community be interested? What are the recognized standards organizations, how do the standards organizations complement one another (differences, strengths, weaknesses)? Speakers from various bodies were present and their slides are available on the RAID web site. The potential creation of a new IETF working group on Intrusion Detection has also been discussed together with its goals.
The main objective of the second panel was to discuss the problems and possible solutions related to doing intrusion detection in large systems. It ended up, however, being a much more general discussion about many issues that, although particularly important in large installations, are relevant for IDSs deployed in installations of any size and type. We would refer the interested reader to the minutes of this panel available on the RAID web site.
We have the feeling that RAID98 has kept its promises. Various communities, namely vendors, researchers, customers, have found a place where they have had the opportunity to exchange ideas and discuss for new projects. We hope that attendees have learned as much as they were hoping to. The important number of participants clearly indicates that there was a need for such a workshop.
Among the achievements of RAID98, we may say that it has highlighted a few crucial points that need to be addressed in the near future in order for ID solutions to become widely used and accepted. We have already mentioned here above some open issues. It was also clear, from the discussions, that a couple of other points deserve attention like the need for interaction between existing solutions, the need for combined use of anomaly and misuse detection techniques to protect large intranet, the need for solutions integrated into a network management framework, etc.
We look forward in getting answers to those questions at the next RAID workshop, in 1999, which will, this time, take place in the USA, most probably hosted by Purdue University and with Deborah Frincke from the University of Idaho acting as program chair (to be confirmed).