Investigative Data Mining for Security and Criminal Detection

AT&T Information Security Center http://www.att.com/isc The AT&T Information Security Center provides government and corporate customers with design and implementation services in intrusion detection, public-key infrastructure, and security consulting.

CERIAS/Purdue University http://www.cerias.purdue.edu CERIAS, the world's foremost university center for multidisciplinary research and education in areas of information security (computer security, network security, and communications security) and information assurance.

CIDER Project http://www.nswc.navy.mil/ISSEC/CID The Cooperative Intrusion Detection Evaluation and Response project is an effort of NSWC Dahlgren, NFR, NSA, the SANS community, and other interested parties to locate, document, and improve security software.

COAST Intrusion Detection Pages http://www.cerias.purdue.edu/coast/intrusion-detection Information about intrusion detection, and intrusion detection research.

Computer immune systems (University of New Mexico) http://www.cs.unm.edu/~immsec Four examples of how we are applying ideas from immunology to today's computer security problems are a host-based intrusion-detection method, a network based IDS, a distributable change-detection algorithm, and a method for intentionally introducing diversity to reduce vulnerability.

Cost-sensitive intrusion detection(Georgia Institute of Technology) http://www.cc.gatech.edu/~wenke/project/id.html A data mining approach for building cost-sensitive and light intrusion detection models.

EMERALD http://www.sdl.sri.com/emerald/index.html EMERALD Event Monitoring Enabling Response To Anomalous Live Disturbances. EMERALD represents the state-of-the art in research and development of systems and components for anomaly and misuse detection in computer systems and networks:

• Scalable Network Surveillance

• High-Volume Event Analysis

• Light-Weight Distributed Sensors

• Generic Infrastructure and Pluggable Components

• Easy Customization to New Targets and Specific Policies

INBOUNDS: Integrated network-based Ohio university network detective service http://zen.ece.ohiou.edu/inbounds INBOUNDS is a network-based, real-time, hierarchical IDS being developed at Ohio University. INBOUNDS detects suspicious behavior by scrutinizing network information generated by Tcprace and host data gathered by the monitors of DeSiDeRaTa. INBOUNDS functions in a heterogeneous environment with fault tolerance, very low overhead, and a high degree of scalability.

Intrusion detection projects at UC Davis http://seclab.cs.ucdavis.edu Anomaly Detection in Database Systems, Common Intrusion Detection Framework, Intrusion Detection and Isolation Protocol (IDIP), Intrusion Detection for Large Networks, Misuse Detection, and Workshop for Intrusion Detection and Response Data Sharing.

Intrusion detection at the MIT Lincoln Lab, Information Systems Technology Group http://www.ll.mit.edu/IST Information assurance focusing on techniques for detecting and reacting to intrusions into networked information systems. We have coordinated several evaluations of computer network IDS.

Intrusion Detection in Columbia University http://www.cs.columbia.edu/ids This project approaches the intrusion detection problem from a data mining perspective. Large quantities of data are collected from the system and analyzed to build models of normal behavior and intrusion behavior. These models are evaluated on data collected in real time to detect intruders. There are 12 subprojects, which together compose the Intrusion Detection System Project at the Columbia Project IDS:

• HOBIDS — Host-Based Intrusion Detection System

• HAUNT — Network Based Intrusion Detection System

• DIDS — Distributed Intrusion Detection System

• DW-AMG — Data Warehousing and Adaptive Model Generation

• MEF — Malicious E-mail Filter

• FWRAP — File System Wrappers

• ASIDS — Advanced Sensors for IDS

• TAG — The Attack Group

• IDSMODELS — Intrusion Detection Models Generation

• IDSWATCH — Intrusion Detection Visualization

• DuDE — Denial-of-Service Detection and Response System

• Response — Automated Intrusion Detection and Response Rule-Based System

Intrusion Detection Exchange Format (IDWG) http://www.ietf.org/html.charters/idwg-charter.html The purpose of the Intrusion Detection Working Group is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to management systems, that may need to interact with them. The Intrusion Detection Working Group will coordinate its efforts with other IETF Working Groups.

Institute for security technology studies (Dartmouth Colledge) http://www.ists.dartmouth.edu The Institute, with its core program on cybersecurity arid information infrastructure protection research, serves as a principal national center for counter-terrorism technology research, development, and assessment.

MAIDS: Mobile Agent Intrusion Detection System (Iowa State University) http://latte.cs.iastate.edu/Research/Intrusion/index.html MAIDS design and implementation

RAID: Recent Advances in Intrusion Detection http://www.raid-symposium.org The RAID workshop series is an annual event dedicated to the sharing of information related to intrusion detection.

Reliable Software Laboratory of UCSB http://www.cs.ucsb.edu/~rsg/STAT The Reliable Software Group (RSG) works on languages and tools for designing, building, and validating software systems. Specific areas that the group has targeted include concurrent and real-time systems. RSG is also investigating techniques for increasing the security of computer systems, with particular emphasis on analyzing encryption protocols using machine-aided formal verification techniques, modeling and analyzing covert channels, modeling and detecting computer intrusions, analyzing mobile code and Web browsers for security violations, and approaches to secure Internet computing with unsecure applications.

ResearchIndex, IDS Section http://citeseer.nj.nec.com/Security/IntrusionDetection ResearchIndex is a scientific literature digital library that aims to improve the dissemination and feedback of scientific literature, and to provide improvements in functionality, usability, availability, cost, comprehensiveness, efficiency, and timeliness.

Secure and Reliable Systems Lab at SUNY Stony Brook http://seclab.cs.sunysb.edu This group's research is aimed broadly at developing new approaches, technologies, and tools for improving the security and reliability of networks and distributed software systems.

SHANG: Secure and Highly Available Networking Group(NCSU) http://shang.csc.ncsu.edu/index.html SHANG's main objective is to build a high-confidence networking infrastructure system, which involves a wide range of research issues in the areas of network security, network management, and networking software development.

The Center for Secure and Dependable Software(University of Idaho) http://www.csds.uidaho.edu/ Hummer is a distributed component for any IDS; Magpie is a hierarchical network of lightweight, mobile, and adaptive tools designed both to investigate and to guard against intrusions.