different domains. This architecture does not require a central administration for the

enterprise-wide monitors.

 The EMERALD monitor architecture is shown in Figure 2.2. The architecture

supports easy integration and deletion of analysis engines to the monitor boundary. The

monitor performs both signature analysis and statistical profiling. The profiler engine

performs statistical profile-based anomaly detection. The signature engine provides a

focused and distributed signature analysis model. The normally central rule-base and

inference engine are distributed and modularized into smaller, more focused signature

engines. The resolver coordinates the analysis reports of the two engines and implements

the response policy. The resource object is a pluggable library of target specific

configuration data and methods. This lets the monitor code-base to remain independent of

the target machine specifics. To integrate third-party modules into the system,

EMERALD uses a standard interface specification for communication.

2.6.3 GrIDS (A Graph Based Intrusion Detection System for Large Networks)

 GrIDS [23] is a graph based intrusion detection system. It collects data about

activity on computers and network traffic between them. It then creates tree- like activity

graphs from this information, which reveal the structure of network activity. The hosts

form the nodes of the graph, while the activities between them are represented as

branches between the nodes. The GrIDS components then add to the graph when the

activity propagates to other hosts. The GrIDS algorithm has defined thresholds for the

size of the graph, and when these thresholds are exceeded, an alarm is raised. If a graph is

not being modified, it expires after sometime and is deleted. The GrIDS system can also

implement organization policies. The main goal of the GrIDS system is to detect

widespread attacks and to do so in near real time.