If you used NSM (UC Davis), ASIM (Air Force), JIDS (DISA), or NID (DOE) in the 1990s, two things you probably remember about the tools were their string matching and transcripts. Flipping through an old notebook the other day, I ran across a reference where these features were added to the code base: Jan 15, 1991.
I never bothered to publish this information in an academic publication because they didn't seem very academic-y, but they sure were useful in detecting hackers and understanding what they were doing.
I also like a couple of other "to do" bullet points here, like
- Development of a distributed NSM architecture
- Study techniques for stalking hackers
- Advise a network security officer of corrective measures in the midst of an attack
all pretty good ideas.
The second page show how the string matches were used to increase (and decrease) warning values. This caused confusion later on and is worth its own blog post.
Click to enlarge the pages.