Category Index:
/pub/doc/intrusion_detection Category Index:
/pub/doc/intrusion_detection
No Pointing!Naji
Habra, Baudouin
Le Charlier, Abdelaziz
Mounji, Isabelle
Mathieu,
"ASAX: Software Architecture and Rule-base Language for Universal
Audit Trail Analysis
Keywords: audit, rulebase, analysis
Abstract: After a brief survey of the problems related to
audit trail analysis and of some approaches to deal with them,
the paper outlines the project ASAX which aims at providing an
advanced tool to support such analysis. One key feature of ASAX
is its elegant architecture build on top of a universal analysis
tool allowing any audit trail to be analyzed after a straight
format adaptation. Another key feature of the project ASAX is the
language RUSSEL used to express queries on audit trails. RUSSEL
is a rule-based language which is tailor-made for the analysis of
sequential files in one and only one pass. The conception of
RUSSEL makes a good compromise with respect to the needed
efficiency on the one hand and to the suitable declarative look
on the other hand. The language is illustrated by examples of
rules for the detection of some representative classical security
breaches.
Naji
Habra, Baudouin
Le Charlier, Abdelaziz
Mounji, Isabelle
Mathieu,
Preliminary Report on Advanced Security Audit Trail Analysis on
UNIX
Keywords: intrusion, detection, audit
Abstract: The ASAX project is a joint project involving
SWN in Rhines and the Institut d'Informatique (FUNDP) in Namur.
This project aims at defining and implementing a commercial
system for universal, efficient and powerful audit trail analysis
corresponding to security level B3. However, implementation of a
commercial system is only a middle term objective. In the short
term it has been decided to specify, design and implement a
prototype version of the system. This prototype version will be
satisfactory only if it demonstrates the feasibility of these
main features of the system: universality, efficiency and
power.
Mark
Crosbie, Bryn
Dole, Todd Ellis, Ivan
Krsul, Eugene
Spafford,
IDIOT - Users Guide
Keywords: IDIOT, intrusion detection
Abstract: This manual gives a detailed technical
description of the IDIOT intrusion detection system from the
COAST Laboratory at Purdue University. It is intended to help
anyone who wishes to use, extend or test the IDIOT system.
Familiarity with security issues, and intrusion detection in
particular, is assumed.
Aurobindo
Sundaram,
An Introduction to Intrusion Detection (A related
WWW homepage exists for this item)
Keywords: intrusion, detection, security
Abstract: This is a survey paper on intrusion detection.
It explains the different types of intrusion detection methods
(misuse and anomaly), gives different implementation techniques
and advantages and disadvantages of present methods
Abdelaziz
Mounji, Baudouin
Le Charlier, Denis
Zampunieris, Naji
Habra,
Distributed Audit Trail Analysis
Keywords: distributed, audit, analysis, intrusion,
detection
Abstract: An implemented system for on-line analysis of
multiple distributed data streams is presented. The system is
conceptually universal since it does not rely on any particular
platform feature and uses format adaptors to translate data
streams into its own standard format. The system is as powerful
as possible (from a theoretical standpoint) but still efficient
enough for on-line analysis thanks to its novel rule-based
language (RUSSEL) which is specifically designed for efficient
processing of sequential unstructured data streams. In this
paper, the generic concepts are applied to security audit trail
analysis. The resulting system provides powerful network security
monitoring and sophisticated tools for intrusion/anomaly
detection. The rule-based and command languages are described as
well as the distributed architecture and the implementation.
Performance measurements are reported, showing the effectiveness
of the approach.
Taimur Aslam, Ivan
Krsul, Eugene
H. Spafford,
Use of A Taxonomy of Security Faults
Keywords: taxonomy, security faults, database,
classification, intrusion detection, static audit analysis, fault
detection
Abstract: Security in computer systems is important so as
to ensure reliable operation and to protect the integrity of
stored information. Faults in the implementation of critical
components can be exploited to breach security and penetrate a
system. These faults must be identified, detected, and corrected
to ensure reliability and safeguard against denial of service,
unauthorized modification of data, or disclosure of information.
We define a classification of security faults in the Unix
operating system. We state the criteria used to categorize the
faults and present examples of the different fault types. We
present the design and implementation details of a prototype
database to store vulnerability information collected from
different sources. The data is organized according to our fault
categories. The information in the database can be applied in
static audit analysis of systems, intrusion detection, and fault
detection. We also identify and describe software testing methods
that should be effective in detecting different faults in our
classification scheme.
Jeremy Frank,
Artificial Intelligence and Intrusion Detection: Current and
Future Directions
Abstract: Intrusion Detection systems (IDSs) have
previously been built by hand. These systems have difficulty
successfully classifying intruders, and require a significant
amount of computa- tional overhead making it difficult to create
robust real-time IDS systems. Artificial Intelligence techniques
can reduce the human effort required to build these systems and
can improve their performance. Learning and induction are used to
improve the performance of search problems, while clustering has
been used for data analysis and reduction. AI has recently been
used in Intrusion Detection (ID) for anomaly detection, data
reduction and induction, or discovery, of rules explaining audit
data. We survey uses of artificial intelligence methods in ID,
and present an example using feature selection to improve the
classification of network connections. The network connection
classification problem is related to ID since intruders can
create "private" communications services undetectable by normal
means. We also explore some areas where AI techniques may further
improve IDSs.
Abdelaziz
Mounji,
Advanced Security audit trail Analysis on uniX
Keywords: audit trail, analysis, intrusion detection,
asax
Abstract: This document is a description of the ASAX tool.
ASAX is used for audit trail analysis. It is described briefly
below: INTRODUCTION Analyzing substantial amounts of data and
extract ing relevant information out of huge sequential files has
always been a nightmare. And ... it will probably remain so,
unless you use ASAX, FUNDP' Advanced Security audit trail
Analyzer on uniX. Using highly sophisticated and powerful
algorithms, ASAX tremendously simplifies the intelligent analysis
of sequential files. Of course, the data should fit the analyzer.
Therefore, ASAX has defined a normalized audit file format (NADF)
with built-in flexibility to guarantee a simple and
straightforward translation of any stream of native data into the
normalized sequential files ASAX understands. But ASAX's real
power is unleashed by deploying its embedded, easy to use rule
based language RUSSEL; this tailor-made analysis tool solves very
intricate queries on any sequential data.
National Computer
Security Center,
A Guide to Understanding Audit in Trusted Systems
Abstract: This publication, is being issued by the
National Computer Security Center (NCSC) under the authority of
and in accordance with Department of Defense (DoD) Directive
5215.1. The guidelines described in this document provide a set
of good practices related to the use of auditing in automatic
data processing systems employed for processing classified and
other sensitive information.
Victor H. Marshall,
Intrusion Detection In Computers
Abstract: Summary of the Trusted Information Systems (TIS)
report on intrusion detection systems. Computer system security
officials typically have very few, if any, good automated tools
to gather and process auditing information on potential computer
system intruders. It is most challenging to determine just what
actions constitute potential intrusion in a complex mainframe
computer environment. Trusted Information Systems (TIS), Inc.
recently completed a survey to determine what auditing tools are
available and what further research is needed to develop
automated systems that will reliably detect intruders on
mainframe computer systems. Their report
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D.
Zerkle,
GrIDS - A Graph Based Intrusion Detection System for Large
Networks
Keywords: intrusion detection, networks, information
warfare, computer security, graphs
Abstract: There is widespread concern that large-scale
malicious attacks on computer networks could cause serious
disruption to network services. We present the design of GrIDS
(Graph-Based Intrusion Detection System). GrIDS collects data
about activity on computers and network traffic between them. It
aggregates this information into activity graphs which reveal the
causal struccture of network activity. This allows large-scale
automated or co-ordinated attacks to be detected in near
real-time. In addition, GrIDS allows network administrators to
state policies specifying which users may use particular services
of individual hosts or groups of hosts. By analyzing the
characteristics of the activity graphs, GrIDS detects and reports
violations of the stated policy. GrIDS uses a hierarchical
reduction scheme for the graph construction, which allows it to
scale to large networks. An early prototype of GrIDS has
successfully detected a worm attack.
Sandeep
Kumar, Eugene
H. Spafford,
Pattern Matching Model for Misuse Intrusion
Detection
Abstract: This paper describes a generic model of matching
that can be usefully applied to misuse intrusion detection. The
model is based on Colored Petri Nets. Guards define the context
in which signatures are matched. The notion of start and final
states, and paths between them define the set of event sequences
matched by the net. Partial order matching can also be specified
in this model. The main benefits of the model are its generality,
portability and flexibility.
Sandeep
Kumar, Eugene
H. Spafford,
An Application of Pattern Matching in Intrusion
Detection
Abstract: This report examines and classifies the
characteristics of signatures used in misuse intrusion detection.
Efficient algorithms to match patterns in some of these classes
are described. A generalized model for matching intrusion
signatures based on Colored Petri Nets is presented, and some of
its properties are derived.
Sandeep
Kumar, Eugene
H. Spafford,
A Software Architecture to support Misuse Intrusion
Detection.
Abstract: Misuse Intrusion Detection has traditionally
been understood in the literature as the detection of specific,
precisely representable techniques of computer system abuse.
Pattern matching is well disposed to the representation and
detection of such abuse. Each specific method of abuse can be
represented as a pattern and many of these can be matched
simultaneously against the audit logs generated by the OS kernel.
Using relatively high level patterns to specify computer system
abuse relieves the pattern writer from having to understand and
encode the intricacies of pattern matching into a misuse
detector. Patterns represent a declarative way of specifying what
needs to be detected, instead of specifying how it should be
detected. We have devised a model of matching based on Colored
Petri Nets specifically targeted for misuse intrusion detection.
In this paper we present a software architecture for structuring
a pattern matching solution to misuse intrusion detection. In the
context of an object oriented prototype implementation we
describe the abstract classes encapsulating generic functionality
and the inter-relationships between the classes.
Mark
Crosbie, Eugene
Spafford,
Applying Genetic Programming to Intrusion Detection
Keywords: intrusion detection, genetic programming
Abstract: This paper presents a potential solution to the
intrusion detection problem in computer security. It uses a
combination of work in the fields of Artificial Life and computer
security. It shows how an intrusion detection system can be
implemented using autonomous agents, and how these agents can be
built using Genetic Programming. It also shows how Automatically
Defined Functions (ADFs) can be used to evolve genetic programs
that contain multiple data types and yet retain type-safety.
Future work arising from this is also discussed..
Mark Crosbie Gene
Spafford,
Defending a Computer System using Autonomous Agents
Abstract: This report presents a prototype architecture of
a defense mechanism for computer systems. The intrusion detection
problem is introduced and some of the key aspects of any solution
are explained. Standard intrusion detection systems are built as
a single monolithic module. A finer-grained approach is proposed,
where small, independent agents monitor the system. These agents
are taught how to recognise intrusive behaviour. The learning
mechanism in the agents is built using Genetic Programming. This
is explained, and some sample agents are described. The
flexibility, scalability and resilience of the agent approach are
discussed. Future issues are also outlined.
Calvin Ko, Deborah A. Frincke, Terrence Goan Jr., L. Todd Heberlein, Karl Levitt, Biswanath Mukherjee, Christopher Wee,
Analysis of an Algorithm for Distributed Recognition and
Accountability
Abstract: Computer and network systems are vulnerable to
attacks. Abandoning the existing huge infrastructure of
possibly-insecure computer and network systems is impossible, and
replacing them by totally secure systems may not be feasible or
cost effective. A common element in many attacks is that a single
user will often attempt to intrude upon multiple resources
throughout a network. Detecting the attack can become
significantly easier by compiling and integrating evidence of
such intrusion attempts across the network rather than attempting
to assess the situation from the vantage point of only a single
host. To solve this problem, we suggest an approach for
distributed recognition and accountability (DRA), which consists
of algorithms which "process", at a central location, distributed
and asynchronous "reports" generated by computers (or a subset
thereof) throughout the network. Our highest-priority objectives
are to observe ways by which an individual moves around in a
network of computers, including changing user names to possibly
hide his/her true identity, and to associate all activities of
multiple instances of the same individual to the same
network-wide user. We present the DRA algorithm and a sketch of
its proof under an initial set of simplifying albeit realistic
assumptions. Later, we relax these assumptions to accommodate
pragmatic aspects such as missing or delayed "reports", clock
skew, tampered "reports", etc. We believe that such algorithms
will have widespread applications in the future, particularly in
intrusion-detection systems.
Matt Bishop,
A Standard Audit Log Format (A related WWW
homepage exists for this item)
Keywords: audit trails, logs, intrusion detection
Abstract: This document describes a standard audit log
format. Examples of log records were taken from very different
systems and shown how they could be put into the standard log
format. It was demonstrated that the log format can handle a
variety of systems and security policies, from intrusion
detection to financial records.
Koral Ilgun,
USTAT: A Real Time Intrusion Detection System for
UNIX
Abstract: This thesis presents the design and
implementation of a real-time intrusion detection tool called
USTAT, a State Transition Analysis Tool for UNIX. The original
design was first developed by Phillip A. Porras and presented in
[Porr91] as STAT, a State Transition Analysis Tool. STAT is a new
model for representing computer penetrations, and the model is
applied to the development of a real-time intrusion detection
tool. In STAT, a penetration is identified as a sequence of state
changes that take the computer system from some initial state to
a target compromised state. In this document, the development of
the first USTAT prototype, which is for SunOS 4.1.1, is
described. USTAT makes use of the audit trails that are collected
by the C2 Basic Security Module of SunOS, and it keeps track of
only those critical actions that must occur for the successful
completion of the penetration. This approach differs from other
rule-based penetration identification tools that pattern match
sequences of audit records.
Built by Mark Crosbie
and Ivan
Krsul.
Security Archive Homepage.
Purdue CS Dept page.
