legitimate users should have fair and timely access, the services should be usable and the

capacity provided should meet needs. Ensuring that these three aspects are provided for is

the primary challenge facing security professionals today.

 1.2 Extended Generic Intrusion Detection Model

 Intrusion detection started with network-based and host-based systems. Later

there were attempts to bring these together into one system. In order to handle large

networks, these systems were installed on different parts of the network. But most of

these intrusion detection systems (IDSs) have central analysis components. This presents

a single point of failure for the whole system. They do not scale well to a distributed

network. In addition each intrusion detection system has its own way of reporting, which

is usually not compatible with other systems.

 The extended generic intrusion detection model (EGIDEM) attempts to get over

these limitations by providing an infrastructure for handling intrusions on a distributed

scale and for sharing information between different hosts, thus avoiding the need for

central analysis. The focus throughout this thesis is on developing small and effective

agents for intrusion detection and analysis. These agents can be incorporated on the fly

into the system and are not critical for the system to function. Analysis is done on a

distributed scale, by these agents and hence there is no single point of failure. The policy-

based approach allows for most of the system intelligence to be present in the rule set,

thus avoiding the need for complicated components.

 1.3 Organization of the Thesis

 Chapter 2 gives an introduction into Intrusion Detection Systems and discusses

some of the work currently being done on these systems. Chapter 3 describes the

architecture of our Intrusion Detection System and how it scales to a large distributed