minNIDS:设计与实现
摘要
入侵检测系统是解决网络安全问题的一种重要手段,也是构成网络安全防护体系的一个重要环节。因此,对入侵检测系统的研究正逐步受到人们的关注。
近年来,随着对黑客攻击手段的深入研究,入侵检测技术也在不断的完善,并且朝着智能化、分布化的方向发展。在这种背景下,本文参照相关资料,详细构思了一个入侵检测系统的模型,其目的是在实现入侵检测基本功能的前提下,力图在系统中融入某些先进的设计思想。
本文设计的主导思想是采用基于攻击特征检测和基于系统异常行为检测相结合的检测方式。基于攻击特征的检测具有准确性高的优点;而基于系统异常行为的检测具有很强的预测能力,能够发现未知的攻击行为。二者的结合将极大的提高系统检测攻击行为的能力。
在开发平台上本文采用UNIX,编程语言采用c语言。采用集中式的控制策略,将系统的各个模块都集中在一台主机上;系统运行的环境是以太网;检测的目标是网上传输的数据。
系统的工作过程包括两个基本步骤:从网上捕获并过滤数据包;匹配检测。
由于上述过程非常清晰,这就为系统的模块划分提供了基础。系统可以由实现捕获和过滤数据包功能的模块与实现匹配检测功能的模块构成。当然还离不开主控模块以及某些辅助模块。
当确定了功能模块的划分后,剩下就该考虑如何实现相关的功能。
实现数据包的捕获与过滤功能比较简单。本文介绍了三种内核过滤机制并重点分析了BPF的工作原理。虽然BPF具有较高的效率,但在实际应用中直接使用BPF具有相当的难度,因此必须寻找这样一种机制:它的工作建立在BPF基础上,但能够提供某种接口供用户程序与操作系统内核进行交互。Libpcap接口函数库就能完成上述功能。由于使用Libpcap能简化编程,本文利用Libpcap实现了从网上捕获数据包并进行过滤的功能。
在完成了从网上抓包并过滤的步骤后,就进入了匹配检测的过程。本文将这个过程分成两步实现:第一步是预处理过程;第二步是处理过程。与这两个过程对应的是预处理模块与处理模块。在处理过程中采用了对攻击特征进行匹配的检测方式,其实现原理同大多数杀毒软件类似,对效率的要求极高。而预处理过程是处理过程功能的重要补充。例如,某些黑客为了逃避检测而采用了将报文分片的方式,这样在每个分片中只包含有部分的攻击特征,就有可能躲过处理过程的检测(出于效率的考虑,处理过程不做分片重组的工作)。而在预处理过程中则可以
进行碎片重组的工作,这样在随后进行的处理过程中就可以很容易地检测到攻击行为。此外,如果在预处理过程中能够直接发现黑客的攻击行为,就不必进行后续的处理过程,这样就提高了检测的效率。
考虑到功能扩展的需求,本文在预处理模块与处理模块的设计中采用了插件化的设计思想。其含义是某一检测功能的具体实现由某一具体插件来完成。这样,当我们在检测中需要使用某一检测功能时,可以简单地将插件“插入”到系统中。而当我们不需要某一检测功能时,可以简单地将插件“拔出”。所有插件的构造过程基本类似,只是功能的具体实现不同。
本文在预处理模块中设计并实现了两个插件。一个插件的功能是检测黑客扫描与大规模网络攻击行为,具体实现过程如下:在一台主机上设置多个IP地址(一般是连续的)其中有且仅有一个地址为主IP地址,其他地址称为陷阱IP地址。当该主机对网络主动访问或对外提供服务时,都是使用主IP地址。在正常使用时,陷阱IP地址不会有任何流量(除了与路由器之间的少量通信以外)。如果发现某个陷阱IP地址产生了流量,那么或者是正常用户访问了错误的地址,或者是攻击者将其选定为目标,或者是发生了大规模的自动攻击;另一个插件的功能是检测系统异常行为,具体实现过程如下:建立系统正常工作时的流量模型,并将其应用于训练BP网络,使BP网络的输出对异常的输入敏感。这样,在实际检测中,根据神经网络的输出,就能够发现系统的异常行为。此外,本文对BP网络的输入样本数据进行了调整组合,通过组合使用多个BP网络来产生冗余,从而提高了检测的精度和速度。
本文对规则文件的编写、组织进行了详细的介绍,并在此基础上设计了一种二维链表结构。规则文件用于存放各种提炼出来的攻击特征,但是不能直接使用规则文件与从网上捕获的数据进行模式匹配,所以必须将其转化为入侵检测系统能够识别的数据形式,这就是规则文件的解析过程要达到的目的。对规则文件进行解析,也就是将规则文件中的每一条规则插入到以上设计的二维链表结构的相应位置。以后在进行实际检测时,实际上就是在遍历此二维链表结构:通过把从网上捕获并过滤后的数据包加以处理后所得到的某些关键信息(如协议,IP地址等),与此二维链表结构的节点上所存放的攻击特征进行模式匹配,从而达到入侵检测的目的。对于规则文件的解析与规则匹配的实现过程,在本文中也具体地给予了说明。
最后,本文提出了进一步完善的设想。由于分布式的体系结构是将来的发展方向,本文在这方面也进行了一些尝试,重点考虑了通信功能的实现。
Intrusion detection system is regarded as one of important methods which are used to solve problems of computer network security. At the same time it is an important link which constitute network security guard system. So many people begin to pay attention to intrusion detection system.
In recent years, along with research on Hack’s attack means deeply, intrusion detection technologies are more and more perfect and develop toward intelligence and distribution. On the ground, based on the relevant data and materials, the paper works out the model of a intrusion detection system. In the model some fundamental functions were achieved and some advanced design think was mixed together with the system.
The dominant design think which was adopted by the paper is the detection way integrating attack signature detection with anomaly detection. The way of attack signature detection has advantage of high accuracy. The way of anomaly detection has ability of powerful prediction. Combination of both of two sides extremely enhances the capacity of system detecting attack behaviors.
Exploring platform adopted by the paper is UNIX, Programming was done by C language. Control mode is central policy, each module of the system is placed into a computer. Environment on which the system running is Ethernet. Detection object is data transmitting in the network.
Working process of the system include two basic steps: capture and filter packet; match data and detect intrusion.
The distinct working process provides base for module dividing. The system consists of two modules. One is used to capture and filter packet, the other is used to match data and detect intrusion. Without doubt, the system also include the main control module and some auxiliary modules.
After the functions of these modules were divided, the next step needed to consider is how to archieve the relevant functions.
It is simple to achieve functions of capture and filter packet. Three kernel filter mechanisms were introduced in the paper and working principle of BPF was analyzed emphatically. Although BPF is efficient, it is difficult to use it directly. So people begin to better solution: based on the BPF and can provide the interface to finish the interaction between the kernel of operation system and user program. It is Libpcap that can archieve the function, it helps to simplify the programming.
The next step we should consider is how to achieve the function of
matching data and detecting intrusion. The process was divided into two steps which are called Preprocess and Process. The corresponding modules are Preprocess module and Process module. The detection ways of matching attack signature was adopted in Process, its principle is same as most anti-virus software which require high efficiency. While the function of Preprocess is important supplement of Process’s. For example, in order to escape from detection, many hacks adopt the means which divide packet into many small fragments. Each fragment include part of attack signature, so it may escape from detection(In view of efficiency, these fragments are not combined in Process). After these fragments are combined in Preprocess, Process can easily detects attack behaviors. In addition, if hack’s attack is found in Preprocess, Process is not necessary. So the efficiency of detection is high.
In view of extend of functions of the system, the paper adopted plug-in thinking. This means a specific function was achieved by a specific plug-in. when some functions of detection are needed, the plug-ins are inserted into the system. When some functions of detection are not needed, the plug-ins are pulled out. The structure of all the plug-ins is similar, but their functions are different.
There are two plug-ins exploited in Preprocess module in the paper, one is used to detect hack’s scan and large-scale network attack behaviors. The process is described as follows: set many IP address in a computer( usually these address is continuous), among them, only one address is primary IP address, other
近年来,随着对黑客攻击手段的深入研究,入侵检测技术也在不断的完善,并且朝着智能化、分布化的方向发展。在这种背景下,本文参照相关资料,详细构思了一个入侵检测系统的模型,其目的是在实现入侵检测基本功能的前提下,力图在系统中融入某些先进的设计思想。
本文设计的主导思想是采用基于攻击特征检测和基于系统异常行为检测相结合的检测方式。基于攻击特征的检测具有准确性高的优点;而基于系统异常行为的检测具有很强的预测能力,能够发现未知的攻击行为。二者的结合将极大的提高系统检测攻击行为的能力。
在开发平台上本文采用UNIX,编程语言采用c语言。采用集中式的控制策略,将系统的各个模块都集中在一台主机上;系统运行的环境是以太网;检测的目标是网上传输的数据。
系统的工作过程包括两个基本步骤:从网上捕获并过滤数据包;匹配检测。
由于上述过程非常清晰,这就为系统的模块划分提供了基础。系统可以由实现捕获和过滤数据包功能的模块与实现匹配检测功能的模块构成。当然还离不开主控模块以及某些辅助模块。
当确定了功能模块的划分后,剩下就该考虑如何实现相关的功能。
实现数据包的捕获与过滤功能比较简单。本文介绍了三种内核过滤机制并重点分析了BPF的工作原理。虽然BPF具有较高的效率,但在实际应用中直接使用BPF具有相当的难度,因此必须寻找这样一种机制:它的工作建立在BPF基础上,但能够提供某种接口供用户程序与操作系统内核进行交互。Libpcap接口函数库就能完成上述功能。由于使用Libpcap能简化编程,本文利用Libpcap实现了从网上捕获数据包并进行过滤的功能。
在完成了从网上抓包并过滤的步骤后,就进入了匹配检测的过程。本文将这个过程分成两步实现:第一步是预处理过程;第二步是处理过程。与这两个过程对应的是预处理模块与处理模块。在处理过程中采用了对攻击特征进行匹配的检测方式,其实现原理同大多数杀毒软件类似,对效率的要求极高。而预处理过程是处理过程功能的重要补充。例如,某些黑客为了逃避检测而采用了将报文分片的方式,这样在每个分片中只包含有部分的攻击特征,就有可能躲过处理过程的检测(出于效率的考虑,处理过程不做分片重组的工作)。而在预处理过程中则可以
进行碎片重组的工作,这样在随后进行的处理过程中就可以很容易地检测到攻击行为。此外,如果在预处理过程中能够直接发现黑客的攻击行为,就不必进行后续的处理过程,这样就提高了检测的效率。
考虑到功能扩展的需求,本文在预处理模块与处理模块的设计中采用了插件化的设计思想。其含义是某一检测功能的具体实现由某一具体插件来完成。这样,当我们在检测中需要使用某一检测功能时,可以简单地将插件“插入”到系统中。而当我们不需要某一检测功能时,可以简单地将插件“拔出”。所有插件的构造过程基本类似,只是功能的具体实现不同。
本文在预处理模块中设计并实现了两个插件。一个插件的功能是检测黑客扫描与大规模网络攻击行为,具体实现过程如下:在一台主机上设置多个IP地址(一般是连续的)其中有且仅有一个地址为主IP地址,其他地址称为陷阱IP地址。当该主机对网络主动访问或对外提供服务时,都是使用主IP地址。在正常使用时,陷阱IP地址不会有任何流量(除了与路由器之间的少量通信以外)。如果发现某个陷阱IP地址产生了流量,那么或者是正常用户访问了错误的地址,或者是攻击者将其选定为目标,或者是发生了大规模的自动攻击;另一个插件的功能是检测系统异常行为,具体实现过程如下:建立系统正常工作时的流量模型,并将其应用于训练BP网络,使BP网络的输出对异常的输入敏感。这样,在实际检测中,根据神经网络的输出,就能够发现系统的异常行为。此外,本文对BP网络的输入样本数据进行了调整组合,通过组合使用多个BP网络来产生冗余,从而提高了检测的精度和速度。
本文对规则文件的编写、组织进行了详细的介绍,并在此基础上设计了一种二维链表结构。规则文件用于存放各种提炼出来的攻击特征,但是不能直接使用规则文件与从网上捕获的数据进行模式匹配,所以必须将其转化为入侵检测系统能够识别的数据形式,这就是规则文件的解析过程要达到的目的。对规则文件进行解析,也就是将规则文件中的每一条规则插入到以上设计的二维链表结构的相应位置。以后在进行实际检测时,实际上就是在遍历此二维链表结构:通过把从网上捕获并过滤后的数据包加以处理后所得到的某些关键信息(如协议,IP地址等),与此二维链表结构的节点上所存放的攻击特征进行模式匹配,从而达到入侵检测的目的。对于规则文件的解析与规则匹配的实现过程,在本文中也具体地给予了说明。
最后,本文提出了进一步完善的设想。由于分布式的体系结构是将来的发展方向,本文在这方面也进行了一些尝试,重点考虑了通信功能的实现。
Intrusion detection system is regarded as one of important methods which are used to solve problems of computer network security. At the same time it is an important link which constitute network security guard system. So many people begin to pay attention to intrusion detection system.
In recent years, along with research on Hack’s attack means deeply, intrusion detection technologies are more and more perfect and develop toward intelligence and distribution. On the ground, based on the relevant data and materials, the paper works out the model of a intrusion detection system. In the model some fundamental functions were achieved and some advanced design think was mixed together with the system.
The dominant design think which was adopted by the paper is the detection way integrating attack signature detection with anomaly detection. The way of attack signature detection has advantage of high accuracy. The way of anomaly detection has ability of powerful prediction. Combination of both of two sides extremely enhances the capacity of system detecting attack behaviors.
Exploring platform adopted by the paper is UNIX, Programming was done by C language. Control mode is central policy, each module of the system is placed into a computer. Environment on which the system running is Ethernet. Detection object is data transmitting in the network.
Working process of the system include two basic steps: capture and filter packet; match data and detect intrusion.
The distinct working process provides base for module dividing. The system consists of two modules. One is used to capture and filter packet, the other is used to match data and detect intrusion. Without doubt, the system also include the main control module and some auxiliary modules.
After the functions of these modules were divided, the next step needed to consider is how to archieve the relevant functions.
It is simple to achieve functions of capture and filter packet. Three kernel filter mechanisms were introduced in the paper and working principle of BPF was analyzed emphatically. Although BPF is efficient, it is difficult to use it directly. So people begin to better solution: based on the BPF and can provide the interface to finish the interaction between the kernel of operation system and user program. It is Libpcap that can archieve the function, it helps to simplify the programming.
The next step we should consider is how to achieve the function of
matching data and detecting intrusion. The process was divided into two steps which are called Preprocess and Process. The corresponding modules are Preprocess module and Process module. The detection ways of matching attack signature was adopted in Process, its principle is same as most anti-virus software which require high efficiency. While the function of Preprocess is important supplement of Process’s. For example, in order to escape from detection, many hacks adopt the means which divide packet into many small fragments. Each fragment include part of attack signature, so it may escape from detection(In view of efficiency, these fragments are not combined in Process). After these fragments are combined in Preprocess, Process can easily detects attack behaviors. In addition, if hack’s attack is found in Preprocess, Process is not necessary. So the efficiency of detection is high.
In view of extend of functions of the system, the paper adopted plug-in thinking. This means a specific function was achieved by a specific plug-in. when some functions of detection are needed, the plug-ins are inserted into the system. When some functions of detection are not needed, the plug-ins are pulled out. The structure of all the plug-ins is similar, but their functions are different.
There are two plug-ins exploited in Preprocess module in the paper, one is used to detect hack’s scan and large-scale network attack behaviors. The process is described as follows: set many IP address in a computer( usually these address is continuous), among them, only one address is primary IP address, other
引文
[ 1] 戴云,范志平.入侵检测系统研究综述.计算机工程与应用,2002.4,P17
[ 2] 张耀疆.聚焦黑客-攻击手段与防护策略.人民邮电出版社,2002.9,P355
[ 3] 唐正军.网络入侵检测系统的设计与实现.电子工业出版社,2002.4
[ 4] 戴英侠,连一峰,王航.系统安全与入侵检测.清华大学出版社
[ 5] 周春光,梁艳春.计算智能:人工神经网络模糊系统进化计算.2001.11
[ 6] 谭思亮..监听与隐藏-网络侦听揭密与数据保护技术.人民邮电出版社,2002.8
[ 7] http://www.snort.org/
[ 8] http://www.cert.org/
[ 9] ftp://ftp.ee.lbl.gov/libpcap.tar.z
[10] 郑人杰,殷人昆,陶永雷.实用软件工程.清华大学出版社,1997年4月第2版,P77
[11] 韩东海,王超,李群.入侵检测系统实例剖析.清华大学出版社,2002.4.17
[12] Gary R.Wright.Tcpip协议详解卷二:实现.
[13] Paul S.R.Chisholm,C语言编程常见问题解答.清华大学出版社,1996,1996年12月第1版,P15/P18 /P124
[14] 张仰森,黄改娟.人工智能实用教程.北京希望电子出版社,2002年5月第1版,P167~P170
[15] 吴礼发.网络程序设计教程.北京希望电子出版社,2002年1月第1版,P6
[16] 刘美兰,姚京松.神经网络在入侵检测系统中的应用.计算机工程与应用,1999年6月,P37
[17] 段海新,吴建平.一种分布式协同入侵检测系统的设计与实现.软件学报,2001 Vol.12,No.9
[18] 王永庆.人工智能原理与方法.西安交通大学出版社,1998年5月第1版,P424~P428
[19] W.Richard Stevens.UNIX网络编程(第2版)第1卷:套接口API和X/Open传输接口API.清华大学出版社,1999年7月第1版,P600
[20] W.Richard Stevens.UNIX网络编程(第2版)第2卷:进程间通信.清华大学出版社,2000年3月第1版,P2
[21] 谢希仁.计算机网络(第2版).电子工业出版社,1999年4月第1版,P216
[22] Andrew S. Tanenbaum.计算机网络(第3版).清华大学出版社,1998年7月第1版,P316/P406/P410
[23] 戴葵,贾宇虎.破译公钥密码的一种神经网络方法.计算机工程与科学,1997年11月,第19卷,第4期,P46~47
[24] CIDF specification documents. “A Common Intrusion Specification Languuage”.
[25] CIDF specification documents. “Communicatiom in the Common Intrusion Detection Framework”.
[26] CIDF specification documents. “The Common Intrusion Detection Framework Architecture”.
[27] Jake Ryan, Meng-Jang, Risto Miikkulainen. “Intrusion Detection with Neural Network”. the University of Texas at Austin.
[28] Marc Dacier, Kathleen Jackson. “Recent Advances on Intrusion(RAID98)”, IBM Zurich Research Laboratory.
[29] Sandeep Kumar, Eugene H.Spafford.1994. “A Pattern Matching Model for Misuse Intrusion Detection”. The COAST Project Dep. of Computer Sciences Purdue University.
[30] Steven R.Snapp 1, James Brentano,…and Doug Mansur. “DIDS(Distributed Intrusion Detection system).
[31] Loris Degioanni. Development of an Architecture for Packet Capture and Network Traffic Analysis. Graduation Thesis, Plitecnico Di Torino, Turin, Italy, Mar 2000
[32] Dhaeseleer P, Forrest S, Helman P. A distributed approach to anomaly detection. Submitted to ACM Transaction on Information System Security, 1997.
[33] Martin Reosch. snort—Lightweight intrusion detection for network. Proc of 13th Large Installation Syatem Administration Conference, Seattle, Washington, USA, November 1999
[34] Giovanni Vigna, Richard A Kemmerer. NetSTAT: A network-based intrusion detection approach. Proc of 14th Annual Computer SecurityjCon, Scottsdale, Arizona, December 1998
[35] Sandeep Kumar, Spafford E H. A pattern matching model for misuse intrusion detection. Proc of 17th National Computer Security Conference, pp. 11-21, October 1994
[36] Ghose A K, Wanken J, Charron F. Detection anomalalous and unknown intrusions against programs. Proc of the 1998 Annual
Computer Security Application Conf( ACSAC’98), December 1998
[37] Clifford Kahn, Phillip A. Porras, Stuart Stuart Staniford-Chen, Brian Tung. 1998. “A Common Intrusion Detection Framework”.
[38] Sandeep Kumar, Eugene H.Spafford.1994. “A application of Pattern Matching in Intrusion Detection”. The COAST Project Dep. of Computer Sciences Purdue University.
[ 2] 张耀疆.聚焦黑客-攻击手段与防护策略.人民邮电出版社,2002.9,P355
[ 3] 唐正军.网络入侵检测系统的设计与实现.电子工业出版社,2002.4
[ 4] 戴英侠,连一峰,王航.系统安全与入侵检测.清华大学出版社
[ 5] 周春光,梁艳春.计算智能:人工神经网络模糊系统进化计算.2001.11
[ 6] 谭思亮..监听与隐藏-网络侦听揭密与数据保护技术.人民邮电出版社,2002.8
[ 7] http://www.snort.org/
[ 8] http://www.cert.org/
[ 9] ftp://ftp.ee.lbl.gov/libpcap.tar.z
[10] 郑人杰,殷人昆,陶永雷.实用软件工程.清华大学出版社,1997年4月第2版,P77
[11] 韩东海,王超,李群.入侵检测系统实例剖析.清华大学出版社,2002.4.17
[12] Gary R.Wright.Tcpip协议详解卷二:实现.
[13] Paul S.R.Chisholm,C语言编程常见问题解答.清华大学出版社,1996,1996年12月第1版,P15/P18 /P124
[14] 张仰森,黄改娟.人工智能实用教程.北京希望电子出版社,2002年5月第1版,P167~P170
[15] 吴礼发.网络程序设计教程.北京希望电子出版社,2002年1月第1版,P6
[16] 刘美兰,姚京松.神经网络在入侵检测系统中的应用.计算机工程与应用,1999年6月,P37
[17] 段海新,吴建平.一种分布式协同入侵检测系统的设计与实现.软件学报,2001 Vol.12,No.9
[18] 王永庆.人工智能原理与方法.西安交通大学出版社,1998年5月第1版,P424~P428
[19] W.Richard Stevens.UNIX网络编程(第2版)第1卷:套接口API和X/Open传输接口API.清华大学出版社,1999年7月第1版,P600
[20] W.Richard Stevens.UNIX网络编程(第2版)第2卷:进程间通信.清华大学出版社,2000年3月第1版,P2
[21] 谢希仁.计算机网络(第2版).电子工业出版社,1999年4月第1版,P216
[22] Andrew S. Tanenbaum.计算机网络(第3版).清华大学出版社,1998年7月第1版,P316/P406/P410
[23] 戴葵,贾宇虎.破译公钥密码的一种神经网络方法.计算机工程与科学,1997年11月,第19卷,第4期,P46~47
[24] CIDF specification documents. “A Common Intrusion Specification Languuage”.
[25] CIDF specification documents. “Communicatiom in the Common Intrusion Detection Framework”.
[26] CIDF specification documents. “The Common Intrusion Detection Framework Architecture”.
[27] Jake Ryan, Meng-Jang, Risto Miikkulainen. “Intrusion Detection with Neural Network”. the University of Texas at Austin.
[28] Marc Dacier, Kathleen Jackson. “Recent Advances on Intrusion(RAID98)”, IBM Zurich Research Laboratory.
[29] Sandeep Kumar, Eugene H.Spafford.1994. “A Pattern Matching Model for Misuse Intrusion Detection”. The COAST Project Dep. of Computer Sciences Purdue University.
[30] Steven R.Snapp 1, James Brentano,…and Doug Mansur. “DIDS(Distributed Intrusion Detection system).
[31] Loris Degioanni. Development of an Architecture for Packet Capture and Network Traffic Analysis. Graduation Thesis, Plitecnico Di Torino, Turin, Italy, Mar 2000
[32] Dhaeseleer P, Forrest S, Helman P. A distributed approach to anomaly detection. Submitted to ACM Transaction on Information System Security, 1997.
[33] Martin Reosch. snort—Lightweight intrusion detection for network. Proc of 13th Large Installation Syatem Administration Conference, Seattle, Washington, USA, November 1999
[34] Giovanni Vigna, Richard A Kemmerer. NetSTAT: A network-based intrusion detection approach. Proc of 14th Annual Computer SecurityjCon, Scottsdale, Arizona, December 1998
[35] Sandeep Kumar, Spafford E H. A pattern matching model for misuse intrusion detection. Proc of 17th National Computer Security Conference, pp. 11-21, October 1994
[36] Ghose A K, Wanken J, Charron F. Detection anomalalous and unknown intrusions against programs. Proc of the 1998 Annual
Computer Security Application Conf( ACSAC’98), December 1998
[37] Clifford Kahn, Phillip A. Porras, Stuart Stuart Staniford-Chen, Brian Tung. 1998. “A Common Intrusion Detection Framework”.
[38] Sandeep Kumar, Eugene H.Spafford.1994. “A application of Pattern Matching in Intrusion Detection”. The COAST Project Dep. of Computer Sciences Purdue University.