A novel intrusion detection system for a local computer network

Local computer networks at major universities are routinely plagued by self-replicating malicious software. Due to the intensive exchange of data and information within the network, when modern viruses, worms and malicious software are introduced they propagate very quickly, leaving little or no time for human intervention. Such environments are ideal for the implementation of the automatic IDS described herein. It employs the Dynamic Code Analyzer (DCA) that detects malicious software during run time by monitoring system calls invoked by individual processes and detecting subsequences (patterns) of system calls indicative of attempted self-replication. A similar approach, also utilizing system calls, is developed for the detection of network worms. Both techniques have the potential for detecting previously unknown malicious software and significantly reducing computer resource utilization. Unfortunately, in comparison with traditional signature based antivirus software, both approaches have a much higher rate of false alarms. To address this shortcoming the authors propose a method to search for evidence of the alarm propagation within the network. This is achieved by aggregating alarms from individual hosts at a server where these alarms can be correlated, resulting in a highly accurate detection capability. Such a system, implementing the presented technology, and capable of significantly reducing the downtime of networked computers owned by students and faculty, is being implemented at the computer network at the Kazakh National University.