Shadow Intrusion and Network Analysis

Project Summary

Forensic-grade analysis of network traffic has traditionally been limited by the logging capabilities of firewalls, routers and intrusion detection systems (IDS). In common implementations, these devices compare certain characteristics of network traffic against a list of known signatures of malicious actions. Unfortunately, only known attacks will be detected, since there can be no signature for a previously unknown attack. Shadow, an intrusion-detection system from the Naval Surface Warfare Center, shows promise in detecting previously unknown attacks. IRIA is undertaking an overhaul of the current Shadow system to improve its efficiency, detection capabilities, and installation procedures.

IDABench has met its goals of extending the SHADOW Intrusion Detection System into a pluggable framework for analysis. Featuring simplified installation & configuration, clear documentation and a simple, yet comprehensive API for plugin development, IDABench has been downloaded by hundreds of organizations including:

• CIA-Open Source Information Service
• United States Postal Service
  
• National Institutes of Health
  
• US Navy Surface & Underwater Warfare Centers
  
• US Army Research Labs
  
• National Public Radio
  

IDABench has been chosen by the ISTS as one of the key analysis tools for the Distributed Honeypot System project. Under this project, IDABench version 2.0 development will continue, in order to support not only packet data represented as database records, but also many other data types to be correlated against network events.

• Project Leads: George Cybenko, Robert Gray, Susan McGrath