As computer security becomes a more important issue in modern society, it begins to warrent a systematic approach. The vast majority of the computer security problems and the costs associated with them can be prevented with simple inexpensive measures. The most important and cost effective of these measures are available in the prevention and planning phases. These methods are presented following by a simplified guide to incident handlying and recovery.

Executive Summary: Computer system security officials typically have very few, if any good automated tools to gather and process auditing information on potential computer system intruduers. It is most challenging to determine just what actions constitute potential intrusion in a complex mainframe computer environment. Trusted Information Systems (TIS), Inc. recently completed a survey to determine what auditing tools are available that will reliably detect intruders on mainframe computer systems. Their report #348 was done for the Air Force and includes details on nine specific software tools for intrusion detection.

Today’s computer systems are vulnerable both to abuse by insiders and to penetration by outsiders, as evidenced by the growing number of incidents reported in the press. To close all security loopholes from today’s systems is infeasible, and no combination of technologies can prevent legitimate users from abusing their authority in a system; thus auditing is viewed as the last line of defense. Over the past several years, the computer security community has been developing automated tools to analyze computer system audit data for suspicious user behavior. This paper describes the use of such tools for detecting computer system intrusion and describes futher technologies that may be of use for intrusion detection in the future.

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current “open” mode. The goal of intrusion detection is to identify, preferably in real time, unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The intrusion detection problem is becoming a challenging task due to the proliferation of heterogeneous computer networks since the increased connectivity of computer systems gives greater access to outsiders and makes it easier for intruders to avoid identification. Intrusion detection systems (IDSs) are based on the beliefs that an intruder’s behavior will be noticeably different from that of a legitimate user and that many unauthorized actions are detectable. Typically, IDSs employ statistical anomaly and rule-based misuse models in order to detect intrusions. A number of prototype IDSs have been developed at several institutions, and some of them have also been deployed on an experimental basis in operational systems. In this paper, several host-based and network-based are surveyed, and the characteristics of the corresponding systems employ the host operating system’s audit trails as the main source of input to detect intrusive activity, while most of the network-based IDSs build their detection mechanism on monitored network traffic, and some employ host audit trails as well. An outline of a statistical anomaly detection algorithm employed in a typical IDS is also included.

This paper describes a new concept in network intrusion detection based up statistical recognition of an intruder’s control-loop. These criteria offer advantages in infinite networks and where a priori attack scenarios are not known. This paper describes the need for better intrusion detection methods, the applicablity of digital signal processing to real-time network surveillance, the concept of control-loop behavior, and the design of an innovative intrusion detection system employing these. We also discuss the benefits of this new system in comparison with alternative technologies.

Developers of audit trail analysis tools need a data interchange format to allow sharing audit trail information from different operating sytems. We wanted an audit data interchange format to provide interoperability of intrusion and misuse detection tools and to facilitate cooperative work involving audit trail analysis, especially for the detection of intrusions and other misuses. While the general case of this problem is very difficult (to convert from IBM MVS SMF records to SunOS Basic Security Module data, for example), it is much more feasible to define a common record format across those Unix versions that support auditing at least at the NCSC C2 level. This document describes the format we have developed. Our internal name for this format is “svr4++”.

This paper builds upon and extends Weber’s (1982) pioneering analysis of the concept of an audit trail, incorporating recent developments from the fields of computer security and temporal modeling in databases. A review of current usage suggests that the term audit trail is being used in two distinct senses: as meaning an abstract property of an accounting information system and as meaning a concrete log file. The various kinds and purposes of log files are analyzed, and a classification system is proposed. The more general audit trail concept is then discussed. A definition of the property of audit trail which captures the notion behind its use in current literature is proposed. It is shown that the various categories of information that are found in log files can be explained in terms of this definition, but that the property of audit trail does not intrinsically require the use of any log files. The “loss” of the audit trail brought about by the move from manual accounting systems to computer-based ones, and from register-orientated designs to database systems, is discussed and a description of the nature of the change is proposed.

This paper describes a misuse detection system for Los Alamos National Laboratory’s Integrated Computing Network (ICN). This automated expert system, the Network Anomaly Detection and Intrusion Reporter (NADIR), streamlines and supplements the manual audit record review traditionally performed by security auditors. NADIR compares network activity, as summarized in weekly profiles of individual users and the ICN as a whole, against expert rules that define security policy and improper or suspicious behavior. NADIR reports suspicious behavior to security auditors and provides tools to aid in follow-up investigations. This paper describes analysis by NADIR of two types of ICN activity: user authentication and access control, and mass file storage. It highlights system design issues of data handling, exploiting exsisting auditing systems, and performing audit analysis at the network level.

The ASAX project is a joint project involving SWN in Rhines and the Institute d’Informatique (FUNDP) in Namur. This project aims at defining and implementing a commercial system for universal, efficient and powerful audit trail analysis corresponding to security level B3. However, implementation of a commercial system is only a middle term objective. In the short term it has been decided to specify, design and implement a prototype version of the system. This prototype version will be satisfactory only if it demostrates the feasiblility of these main features of the system: universality, efficiency and power. Therefore we will concentrate on the essential aspects leaving out aspects like user friendly interfaces, many data types handling,...

The first aim of this paper is to provide a comparison between the generic characteristics of the detection-by-appearance and the detection-by-behavior models for malicious software intrusion detection, and thus to discuss the efficiency of intrusion detection systems based on AI technologies. We introduce the SECURENET system, an experimental intrusion detection intelligent system, which incorporates the use of expert systems, neural networks, and intent specification languages. The second goal is to present the basis of a reaction- time delay analysis for SECURNET in a typical WAN environment. Together with the proportion of attacks detected, reaction time is one of the main efficiency criteria of an intrusion detection system.

This paper presents a new approach to representing and detecting computer penetrations in real-time. The approach, called state transistion analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for the compromise of a penetration and present only the critial events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule-based expert system for detecting penetrations, called the state transition analysis tool (STAT). The design and implementation of a UNIX-specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly STAT is compared to the functionality of comparable intrusion detection tools.

This article describes an intrusion detection technique that aims to enhance the security of computing systems. The idea of intrusion detection is based on the hypothesis that computer users are typically involved in specific types of activity, and the set of programs they will use will normally reflect that activity. Hence, security violations could be detected from abnormal patterns of system usage. Intrusion detection almost invariably involves two components: system monitoring and data analysis. In general, system monitoring records everything that each user performs in the system. Monitoring information is analyzed by use of some data analysis technique to abstract user behavior patterns from the audit log. Although the concept of system monitoring is widely supported in today’s computer systems (at least for accounting purposes), the provision of tools for analyzing monitoring information is not sufficient. We present a multivariate data analysis of user behavior patterns in intrusion detection. Our system records all user activities in each login session; abnormal sessions are identified when the monitoring data are analyzed. Data analysis involves two steps: analysis of correlations and classification of behavior patterns. Analysis of correlations, which is based on standardized principal components analysis, partitions the set of users sessions into groups such that sessions within the same group are closely correlated and hence governed by the same behavior pattern. Classification of behavior patterns is automated by a cluster recognition technique. To visualize analysis results, the multivariate data set is summarized by factor analysis.

Eric Clamons says that when this project was begun they wondered why so little was written about computer penetration. At first they thought nobody wanted to hand a burglar his tools. But now they know: in the search for a new way to present the subject they discovered that whay applies to all systems is trival, and what is of depth applies only to a specific system. The first part of this paper does present successfully a not too trival generalization of methods of attack; later a continual battle between trivia and specifics can be seen. Can our readers do better?

This paper discusses the design of a tool that automatically removes security-sensitive information from intruder activity log files collected at a compromised site. The sanitization of sensitive information will enable researchers to further study the log files without further compromising the security of the affected sites. The paper begins with a brief discussion of the importance of such a tool and a description of the complete sanitization process. This follows with an examination of the important design issues of the sanitizer. The paper concludes with the final design of a sanitizer for SunOS based intruder activity logs.

Computer security is a topic of growing concern because, on the one hand, the power of computers continues to increase at exponential speed and all computers are virtually connected to each other and because, on the other hand, the lack of reliability of software systems may cause dramatic and unrecoverable damage to computer systems and hence to the newly emerging computerized society. Among the possible approaches to improve the current situation, expert systems have been advocated to be an important one. Typical tasks that such expert systems can achieve include evaluating the security level of a software configuration and detecting malicious or incorrect behaviors of users. In this paper, we extend our intrusion detection system ASAX with a deductive subsystem that allows us to assess the security level of a software configuration on a real time basis. By coupling the two subsystems - intrusion detection and configuration analysis - we moreover achieve a better tuning of the intrusion detection since the system has only to enable intrusion detection rules that are specifically required by the current state of the configuration. We also report some preliminary performance measurements, which suggest that our approach can be practical in real life contexts.