OrchIDS is an intrusion detection system developed at LSV (ENS Cachan, INRIA, CNRS) that has some unique features: it detects complex attacks, correlating events through time, it is real-time, and interfaces with multiple sources of security events. The purpose of such a system is to detect attacks on computer systems and networks, and to counter them.

People in this area require practical solutions to concrete concerns.  Security tools must be usable and give results on real, deployed systems and networks. This is definitely commendable.  But this is also sometimes taken as an excuse for avoiding rigorous practices: rigorous definitions, proofs of algorithms, of optimality results.

I will attempt to convince you that we can have a rigorous approach to intrusion detection, and have a fast tool, too.  In fact, part of the efficiency of Orchids stems, precisely, from the rigor we have put into it.

I will illustrate this with two specific cases (after having spent some time trying to convince you that computer security was important, using a few scary stories).

The first one is the Orchids core algorithm itself, which owes its efficiency to a well-crafted definition of what (not how) we wish to detect.  It is then a theorem that the algorithm (the "how") really implements this definition.  And we also obtain nice optimality results on the way.

The second one is an Orchids plug-in, NetEntropy, which classifies network flows as random/encrypted/compressed or not.  This is useful to detect some hacked network traffic in difficult (cryptographic) situations.  I will show how mathematics (statistics, here) is instrumental in evaluating the right confidence intervals.  The result is surprising: NetEntropy detects subversion in situations that are so undersampled that commonsense would tell you one cannot detect anything.