Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIDS Patent

From: stuart () SiliconDefense com (Stuart Staniford)
Date: Fri, 26 May 2000 15:15:17 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au

Daniel Esbensen wrote:


I am unable to see how the patent claims embody any features that weren't
already present in Todd Hebelein's papers on the Network Security Monitor
in the late '80s and very early '90s.  As far as I know, NSM was the first
NIDS.  Becky Bace's book says the same thing.


We did the initial work in early 1990.


I've cc:d Dan Esbensen and Todd Heberlein.  Dan - did you really invent
network intrusion detection before anyone else?  Why didn't you file till
1996?


Yes.  I think we did invent intrusion detection by way of picking off
packet streams and recreating the service-level data-flow from the raw
packets and then analysing the data-flow for the intrusion signatures.


Thanks for the helpful information.

Here are the references I know of to the NSM:

L. T. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, and D. Wolber, 
     ``A network security monitor,''
     Proc., 1990 Symposium on Research in Security and Privacy, pp.
296-304, Oakland, CA, May 1990. 

     L. T. Heberlein, G. Dias, K. Levitt, B. Mukherjee, and J. Wood, 
     ``Network security monitoring and an Ethernet-based network security
monitor,''
     Proc. of the DOE Conference on Computer Security, Augusta, GA, May
1990. 

I actually found the first paper at (URL will wrap):

http://www12.informatik.tu-muenchen.de/teaching/ws99/ESE/papers/Heberlein90.pdf

The second one I don't have access to at present.

The deadline for the Oakland conference is usually in November of the
previous year (ie the paper would have been submitted in November 89).  The
paper speaks of using versions of the NSM for a year prior to the paper. 
It's not quite clear from how much of the final functionality of the NSM
was present at this stage in its evolution, but it appears to me that it
collides with at least some of the patent claims.  The NSM did eventually
do pretty much all the things described in the patent, but I don't know
about the timeline.  (Note that descendants of NSM are still in wide use on
DOD and DOE networks under names like NID, JIDS, and ASIM).

Also - did all the things in your patent claim get invented in early 1990?

Todd often doesn't get the credit that he should for his very prescient
work.


In our case, the patent was *required* by invenstors.  Without possible
patent protection we could not attract any investors at all.  So,
although I completely understand your desire for not clouding up the
field -- from a business standpoint there is a LOT of pressure to get
the patents.

In fact, from an academic stand point I completely agree with your
thoughts on no more patents in this area.  But, from a BUSINESS stand
point it makes it almost impossible to attract the needed $$$ for
research and development.


I understand that pressure.



I hope this helps.


Yes, thanks.  This seems very important for all of us involved in network
intrusion detection to figure out.

Stuart.


Dan Esbensen
Director of Advanced Research
Touch Technologies, Inc.
9988 Hibert Street, Ste 310
San Diego, CA 92131
858/566-3603
dan () ttinet com
http://www.ttinet.com/


-- 
Stuart Staniford  ---  President  ---  Silicon Defense
                   stuart () silicondefense com
(707) 445-4355                     (707) 445-4222 (FAX)
Previous By Date Next
Previous By Thread Next

Current thread: