PaIRS/Bayesian IDS: Finding Bad Actors Without Looking at Content

The Columbia PaIRS (point of contact and incident response system) IDS was developed to facilitate the protection of the network from compromised machines, taking into account the totally decentralized nature of support and the policy against looking at any content on our network. These constraints present challenges in using standard intrusion detection systems that depend on packet inspection and the assumption that there is central ownership of computers on the network. PaIRS was built using Netflow data as the primary input, along with leveraging input from external organizations such as REN-ISAC and Shadowserver.