

<a name="VenusIDS"></a>
<h3>VenusIDS:  An Active Database Component for Intrusion Detection </h3> 
<br>

 Lane B. Warshaw, Lance Obermeyer, Daniel P. Miranker, Sara P. Matzner<br>
<br>

 Abstract<br> 
<br>

 Active-databases are a budding technology where rule-based expert systems can be developed in tight integration with database management systems.  This paper presents VenusIDS: an active database  component  of  the  Network  Exploitation  Detection  Analyst  Assistant  (NEDAA) developed as an enhancement to the analysis layer of a two-layer distributed network intrusion detection system using the VenusDB active database system.  The layers consist of a network layer and an analysis layer.  The network layer contains probes on each subnetwork that sniff network traffic and forward interesting packets in real time to a central Oracle database.  The analysis layer comprises this central database and the mechanism to identify and report intrusions. For active-database technology to form an effective basis for intrusion detection, it must be capable of processing network events at least as fast as the network probes produce and log them. Our  performance  results  show  that  VenusIDS  is  more  than  fast  enough  to  handle  this  rate. Further, VenusIDS is scalable in the number of rules and size of the underlying database.  As context for the VenusIDS component, we begin by describing the application architecture and the VenusDB  system,  with  emphasis  on  the  particular  features  that  are  important  to  distributed intrusion  detection.  We follow that with a  description  of  the  VenusIDS  component  and  its performance profile that enables near real time intrusion detection.  We conclude with a discussion of future topics for active-database analysis layers. 
<br>
<a href="http://www.cs.utexas.edu/users/miranker/papers/1999/venusids99.pdf">full-text.pdf</a>

<br>