Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Bounced Messages [Mod FWD]

From: ruf959 () postmaster co uk (RuF NineFiveNine)
Date: Mon, 29 May 2000 13:26:52 +0100

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
1. Re: IDS: NIDS Patent, "Todd Heberlein" <todd () NetSQ com>
2. Re: IDS: NIDS Patent, dan () ttinet com (Daniel Esbensen)
__________________________________________________________________
Message-ID: <006c01bfc75d$6b1de330$0b387880@anakin>
From: "Todd Heberlein" <todd () NetSQ com>
To: "Daniel Esbensen" <dan () ttinet com>, <stuart () silicondefense com>,
        <turnere () mimestar com>, <ids () uow edu au>
Subject: Re: IDS: NIDS Patent


I am unable to see how the patent claims embody any features that

weren't

already present in Todd Hebelein's papers on the Network Security

Monitor

in the late '80s and very early '90s.  As far as I know, NSM was the

first

NIDS.  Becky Bace's book says the same thing.



We did the initial work in early 1990.


We began ours in 1988 :-)  and began rolling it out at DOD and DOE sites
by 1990 (Network Security Monitor (NSM)).  In the summer of 1990 we
began a second project integrating our network security monitor with
Haystack Labs' host based intrusion detection system.  That original
technology was completed in 1992 and was known as DIDS.

Some of the relevant papers up through 1991 are shown at the end.  There
is also a technical report floating around from June of 1991, but I
don't have reference handy.

The DOE and the Air Force both changed the names of their deployment
systems in part because someone had trademarked the name Network
Security Monitor (I think it was Network 1, or something like that).  In
any case, at least one other company was developing and shipping a
commercial network-based intrusion detection system.

I also believe Cliff Stoll had rigged together a signal processing box
to pick out keywords out of a data stream and then send him an alarm.  I
could not find a refences to this in the Cuckoo's Egg, but it might be
in his ACM paper.


P.S. To anyone else who's reading this - please, please don't file

any more

patents in the intrusion detection field.  All it does is cloud the

field

and slow down progress.



In our case, the patent was *required* by invenstors.


Sadly, I think this is going to be the case.  Steve Smaha's primary
reason for filing his patent (which covers signature-based intrusion
detection, patent 5,557,742, also filed in 1996 for work done from 1990
through about 92) was to prevent others from trying to prevent him from
using his own technology.


Does anyone know if Computer Associates has tried to enforce this

patent?

Network Associates, which now owns Steve Smaha's patent, did try to get
a court to halt ISS from shipping RealSecure.  Obviously that did not
succeed, but I don't know if there were any payments by ISSX to NAI.

Personally I think any government organization which will grant a patent
on "one-click" checkout has lost all credibility as a mediator of
innovation.

Todd

------------------------------------------------------------------------
----------------------
Papers regarding Network Security Monitor (NSM) or NSM's integration
into the Distributed Intrusion Detection System (DIDS).

S.R. Snapp, G.V. Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N.
Levitt, D. Mansur, B. Mukherjee, S.E. Smaha, J. Brentano., "DIDS
(Distributed Intrusion Detection System) - Motivation, Architecture, and
an Early Prototype," Proc. 14th National Computer Security Conference,
pp. 167-176, Oct. 1991.

L.T. Heberlein, B. Mukherjee, K.N. Levitt., "A Method to Detect
Intrusive Activity in a Networked Environment," Proc. 14th National
Computer Security Conference, pp. 362-371, Oct. 1991.

  L.T. Heberlein, B. Mukherjee, K.N. Levitt, D. Mansur., "Towards
Detecting Intrusions in a Networked Environment," Proc. 14th Department
of Energy Computer Security Group Conference, pp. 17.47-17.65, May 1991.

  J. Brentano, S.R. Snapp, G.V. Dias, T.L. Goan, L.T. Heberlein, C. Ho,
K.N. Levitt, B. Mukherjee., "An Architecture for a Distributed Intrusion
Detection System," Proc. 14th Department of Energy Computer Security
Group Conference, pp. 17.25-17.45, May 1991.

  S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Grance, L.T.
Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon, S.E.
Smaha., "A System for Distributed Intrusion Detection," digest of papers
COMPCON 91, pp. 170-176, Feb. 1991.

  L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood.,
"Network Attacks and an Ethernet-based Network Security Monitor," Proc.
13th Department of Energy Computer Security Group Conference, pp.
14.1-14.13, May 1990.

  L.T. Heberlein, G.V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, D.
Wolber., "A Network Security Monitor," Proc. 1990 Symposium on Research
in Security and Privacy, pp. 296-304, May 1990.

__________________________________________________________________
Date: Fri, 26 May 2000 12:38:25 -0700
Message-Id: <00052612382531 () ttinet com>
From: dan () ttinet com (Daniel Esbensen)
To: stuart () silicondefense com, turnere () mimestar com, ids () uow edu au, todd () netsq com
Subject: Re: IDS: NIDS Patent

Hello,


I was just doing a patent search from within the US Patent and Trademark
Office's database, and found the following patent:

 United States Patent

5,796,942
 Esbensen



Yes...that is me.


Indeed, this appears to be a patent that, if valid, would pre-empt just
about any signature based network intrusion detection system.


This could be.


I am unable to see how the patent claims embody any features that weren't
already present in Todd Hebelein's papers on the Network Security Monitor
in the late '80s and very early '90s.  As far as I know, NSM was the first
NIDS.  Becky Bace's book says the same thing. 


We did the initial work in early 1990.


I've cc:d Dan Esbensen and Todd Heberlein.  Dan - did you really invent
network intrusion detection before anyone else?  Why didn't you file till
1996?


Yes.  I think we did invent intrusion detection by way of picking off
packet streams and recreating the service-level data-flow from the raw
packets and then analysing the data-flow for the intrusion signatures.

We delayed the patent application because the company didn't want to
spend the $$$ to file until we could:

  o  build a product from the technology
  o  prove that their was a non-government market for sales


Does anyone know if Computer Associates has tried to enforce this patent?


I don't know what CA is doing with the technology or the patent
enforcement.  I do know that prior to patent application we did
extensive searches on "prior art" (pre 1990).


P.S. To anyone else who's reading this - please, please don't file any more
patents in the intrusion detection field.  All it does is cloud the field
and slow down progress.  


In our case, the patent was *required* by invenstors.  Without possible
patent protection we could not attract any investors at all.  So,
although I completely understand your desire for not clouding up the
field -- from a business standpoint there is a LOT of pressure to get
the patents.

In fact, from an academic stand point I completely agree with your
thoughts on no more patents in this area.  But, from a BUSINESS stand
point it makes it almost impossible to attract the needed $$$ for
research and development.

I hope this helps.

Dan Esbensen
Director of Advanced Research
Touch Technologies, Inc.
9988 Hibert Street, Ste 310
San Diego, CA 92131
858/566-3603
dan () ttinet com
http://www.ttinet.com/

__________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: