 |
![Back to [10]](../all_the_pictures/arrow_left.jpg){kind=icon}
[11]
![Forwards to [12]](../all_the_pictures/arrow_right.jpg){kind=icon}
RAID '98:
First International workshop on the Recent Advances on Intrusion Detection
Workshop Report
http://www.zurich.ibm.com/~dac/RAID98
Marc Dacier, Kathleen Jackson1
IBM Research Laboratory, Zurich Research Laboratory
SŠumerstrasse 4, CH-8803 RŸschlikon, Switzerland
{dac,kaj}@zurich.ibm.com
1. Introduction
1.1. Background
RAID '98 took place in Louvain-la-Neuve, Belgium, on 14-16 September 1998. It was held in the same location as CARDIS '98 (The Research Conference about Smart Cards, http://www.dice.ucl.ac.be/cardis98) and ESORICS '98 (European Symposium on Research in Computer Security, http://www.dice.ucl.ac.be/esorics98), at the same time as the former and just prior to the latter.
RAID '98 was the first of an anticipated annual series of international workshops that will bring together leading figures from academia, government, and industry to ponder the current state of intrusion detection (ID) technologies and paradigms from the research and commercial perspectives. Its aim is to make further progress in intrusion detection by promoting the exchange of ideas among researchers, system developers, and users and by encouraging links between these groups.
1.2. Program and Proceedings
We had received 52 proposals, each of which had been reviewed by the 17 Program Committee (PC) members. 35 papers and 2 panels were accepted. 20 minutes were allocated for each presentation, which proved to be very brief to accommodate the frequently lively discussions they generated. On the other hand, these short presentations helped create a dynamic environment and fostered interactions between people during the recesses as well as at the various social events.
The PC decided to provide online proceedings rather than hard copies. Slides of many presentations were available prior to the workshop on the RAID web site (http://www.zurich.ibm.com/~dac/RAID98). Since then, we have enriched it with new documents provided by the authors, some of whom have written and delivered a full paper, others a soft version of their presentation, and others have simply indicated pointers (URLs) to their work.
Thanks to our two sponsors, the IBM Emergency Response Service (http://www.ers.ibm.com) and the Joint Research Centre of the EC (Institute for Systems, Informatics and Safety, http://ntsta.jrc.it), we were able to offer financial support to several students to attend the workshop. In reciprocation, we asked them to take minutes during the two panels. Their notes, now available on the RAID site, provide valuable summaries of the various topics discussed.
The most outstanding RAID '98 contributors, to be determined by attendees as well as the Program Committee, will be invited to submit an analogous (to their presentation) formal paper to a special RAID '98 edition of the refereed journal Computer Networks and ISDN Systems. Therefore, we have asked all participants to rank the content of each RAID presentation. The results will be evaluated, and those with the highest score will be invited to submit papers, which will of course still be subject to review for quality and content.
1.3. Attendance
More than 130 participants attended RAID '98. Nearly 50% of them were from outside Europe, reflecting a truly international community. Almost all the large research institutions and universities active in the field were represented. Furthermore it is worth noting that many attendees were from industry, not only from companies that sell ID products but also those interested in finding ID solutions.
2. Topics addressed
2.1. Talks
To draw up a fair summary of so many papers in a page or two is a very challenging task. It is inevitable that one is influenced by one's own vision of the domain. What follows must be understood as being the sole viewpoint of the authors without necessarily reflecting those of other attendees. Hopefully, what appears below should not be too different from what the majority of the attendees would have agreed upon. In any case, we will post on the RAID web site all other workshop reports we receive.
Talks presented at RAID can be divided into three groups defined as follows:
- Feedback from the real world
- New technology
- Open issues
The three groups will be briefly discussed in the next subsections.
2.1.1. Feedback from the real world
Various speakers presented the results of their own hands-on experiments with ID solutions. They presented the technical weaknesses and/or advantages of the systems they use and also raised pertinent non-technical issues. The problems associated with using legal evidence obtained with ID tools were one such issue. Also, the directions evident in the market, which considers ID a service rather than a packaged product, have been considered. Last but not least, the future of existing ID products was presented.
2.1.2. New Technology
Many papers proposed new applications of techniques-some of them quite sophisticated-to detect intrusions. The following two main families of methods were covered during the workshop: misuse detection and anomaly detection. The misuse-detection approach detects well-known signatures or symptoms of attacks. The anomaly-detection approach detects deviations from a well-defined normal behavior of a system. Genetic algorithms, self-organizing maps, neural nets, immune systems, and relational databases were among the techniques presented at RAID '98.
Host-based approaches, in which the IDS evaluates information provided by a given host, and network-based approaches, in which the IDS evaluates packets passing through the network, were both studied to an equal extent at RAID '98.
2.1.3. Open Issues
Various speakers addressed open issues for IDSs to tackle in the future. Among others, we may cite the following ones:
- Can we preserve privacy while providing intrusion-detection mechanisms?
- How can we maintain secure logs on potentially unsecure machines?
- How can IDSs that evaluate signatures keep up with the constantly increasing number of attacks?
- How should IDSs be integrated into existing network management environments?
- Do we need standards for intrusion detection? What should they focus on?
- How can we characterize and evaluate IDS in a rigorous way?
All these questions, and many others, generated lively discussions among the participants. Solutions have been proposed but it is clear that a lot of work remains to be done.
2.2. Panels
The first panel was about the various existing standardization bodies. What are standards, what is their general value, and why should the intrusion-detection community be interested in them? What are the recognized standards organizations, how do the standards organizations complement one another (differences, strengths, weaknesses)? Speakers from various bodies were present, and their slides are available on the RAID web site. The potential creation of a new IETF working group on intrusion detection has also been discussed, together with its possible goals.
The main objective of the second panel was to discuss the problems and possible solutions related to intrusion detection in large systems. It ended up, however, being a much more general discussion about many issues that, although particularly important in large installations, are relevant for IDSs deployed in installations of any size and type. We refer the interested reader to the minutes of this panel available on the RAID web site.
3. Conclusions
It is our conviction that RAID '98 has lived up to its promises. Various communities, namely vendors, researchers, and customers, were given a forum where they could exchange ideas and discuss new projects. We hope that attendees have learned as much as they had hoped. The impressive number of participants clearly indicates that a need existed for such a workshop.
Among the achievements of RAID '98, we may say that it has highlighted a few crucial points to be addressed in the near future if ID solutions are to become widely used and accepted. We have already mentioned some of the open issues above. It also became clear in the discussions that a couple of other points deserve attention, such as the need for interaction between existing solutions, the need for combined use of anomaly and misuse-detection techniques to protect large intranets, and the need for solutions integrated into a network management framework.
We look forward in getting answers to these questions at the next RAID workshop to take place in 1999, this time in the USA, most probably hosted by the University of Idaho (to be confirmed).
1 Kathleen Jackson is actually working at the Los Alamos National Laboratory and was spending a year in ZŸrich as a visiting scientist when organizing this workshop.
[11]
