1. Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems

2. Kai, 2004 INSA 2 IDS Components Network Intrusion Detection (NID) 1. Switched networks 2. Encrypted networks 3. High-speed networks Host-based Intrusion Detection (HID) Hybrid Intrusion Detection Network-Node Intrusion Detection (NNID)

3. Kai, 2004 INSA 3 revealed the necessary information for commercial intrusion detection system development Stalker was a host-based, pattern matching system that included robust search capabilities to manually and automatically query the audit data UC Davis’ Lawrence Livermore Lab produced an IDS that analyzed audit data by comparing it with defined patterns. Distributed Intrusion Detection System (DIDS) augmented the existing solution by tracking client machines as well as the servers it originally monitored. A Brief History of IDS audit trails contained vital information that could be valuable in tracking misuse and understanding user behavior analyze audit trails from government mainframe computers and create profiles of users based upon their activities Intrusion Detection Expert System UC Davis's Todd Heberlein develop NSM, the first network intrusion detection system along with the Haystack team, Heberlein introduced the first idea of hybrid intrusion detection. the first commercial vendor of IDS tools, with its Stalker line of host-based products. SAIC was also developing a form of host-based intrusion detection, called Computer Misuse Detection System (CMDS). Air Force's Cryptologic Support Center developed the Automated Security Measurement System to monitor network traffic on the US Air Force's network. ASIM made considerable progress in overcoming scalability and portability issues. NetRanger, the first commercially viable network intrusion detection device. The security market leader developed a network intrusion detection system called RealSecure. SAIC’s CMDS team the first visible host-based intrusion detection company

4. Kai, 2004 INSA 4 The players in IDS market (I) Cisco Air Force Cryptologic Support Center ASIM ASIM Development Staff from AF CSC Wheel Group NetRanger Network-Based Catalyst 6000 IDS 4230 IDS 4210 Host-Based (Entercept tech) Standard Edition Enterprise Edition CISCO Entercept tech Standard Edition Enterprise Edition $124MillionIn 1997

5. Kai, 2004 INSA 5 The players in IDS market (II) Internet Security Systems (ISS) ISS Network-Based RealSecure Host-Based RealSecure In 1997In 1999 Network ICE BlackICE Sentry (GigaBit) BlackICE Sentry

6. Kai, 2004 INSA 6 The players in IDS market (III) Symantec Network-Based NetProwler Host-Based Intruder Alert Symantec Axent

7. Kai, 2004 INSA 7 The players in IDS market (IV) Enterasys Network-Based Dragon Host-Based Squire Enterasys/Cabetron Network Security Wizards

8. Kai, 2004 INSA 8 UCAL Davis Lawrence Livermore labs Haystack Labs Stalker Haystack Development staff SAIC Centrax Entrax CMDS Development Staff People from Haystack Labs Trusted Information Systems Network Associates CyberSafe Host-Based Centrax Network-Based Centrax (NNID tech.) NetworkICE MimeStar SecureNet Pro ODS CMDS Host-based CMDS Host-based Kane Network-based SecureNet Pro Intrusion.com Host-based Kane

9. Kai, 2004 INSA 9 Conclusion Government funding and corporate interest helped Anderson, Heberlein, and Denning spawned the evolution of IDS. Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats.