This paper describes a misuse detection system for Los Alamos National Laboratory’s Integrated Computing Network (ICN). This automated expert system, the Network Anomaly Detection and Intrusion Reporter (NADIR), streamlines and supplements the manual audit record review traditionally performed by security auditors. NADIR compares network activity, as summarized in weekly profiles of individual users and the ICN as a whole, against expert rules that define security policy and improper or suspicious behavior. NADIR reports suspicious behavior to security auditors and provides tools to aid in follow-up investigations. This paper describes analysis by NADIR of two types of ICN activity: user authentication and access control, and mass file storage. It highlights system design issues of data handling, exploiting exsisting auditing systems, and performing audit analysis at the network level.

The ASAX project is a joint project involving SWN in Rhines and the Institute d’Informatique (FUNDP) in Namur. This project aims at defining and implementing a commercial system for universal, efficient and powerful audit trail analysis corresponding to security level B3. However, implementation of a commercial system is only a middle term objective. In the short term it has been decided to specify, design and implement a prototype version of the system. This prototype version will be satisfactory only if it demostrates the feasiblility of these main features of the system: universality, efficiency and power. Therefore we will concentrate on the essential aspects leaving out aspects like user friendly interfaces, many data types handling,...

The first aim of this paper is to provide a comparison between the generic characteristics of the detection-by-appearance and the detection-by-behavior models for malicious software intrusion detection, and thus to discuss the efficiency of intrusion detection systems based on AI technologies. We introduce the SECURENET system, an experimental intrusion detection intelligent system, which incorporates the use of expert systems, neural networks, and intent specification languages. The second goal is to present the basis of a reaction- time delay analysis for SECURNET in a typical WAN environment. Together with the proportion of attacks detected, reaction time is one of the main efficiency criteria of an intrusion detection system.

This paper presents a new approach to representing and detecting computer penetrations in real-time. The approach, called state transistion analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for the compromise of a penetration and present only the critial events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule-based expert system for detecting penetrations, called the state transition analysis tool (STAT). The design and implementation of a UNIX-specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly STAT is compared to the functionality of comparable intrusion detection tools.

This article describes an intrusion detection technique that aims to enhance the security of computing systems. The idea of intrusion detection is based on the hypothesis that computer users are typically involved in specific types of activity, and the set of programs they will use will normally reflect that activity. Hence, security violations could be detected from abnormal patterns of system usage. Intrusion detection almost invariably involves two components: system monitoring and data analysis. In general, system monitoring records everything that each user performs in the system. Monitoring information is analyzed by use of some data analysis technique to abstract user behavior patterns from the audit log. Although the concept of system monitoring is widely supported in today’s computer systems (at least for accounting purposes), the provision of tools for analyzing monitoring information is not sufficient. We present a multivariate data analysis of user behavior patterns in intrusion detection. Our system records all user activities in each login session; abnormal sessions are identified when the monitoring data are analyzed. Data analysis involves two steps: analysis of correlations and classification of behavior patterns. Analysis of correlations, which is based on standardized principal components analysis, partitions the set of users sessions into groups such that sessions within the same group are closely correlated and hence governed by the same behavior pattern. Classification of behavior patterns is automated by a cluster recognition technique. To visualize analysis results, the multivariate data set is summarized by factor analysis.

Eric Clamons says that when this project was begun they wondered why so little was written about computer penetration. At first they thought nobody wanted to hand a burglar his tools. But now they know: in the search for a new way to present the subject they discovered that whay applies to all systems is trival, and what is of depth applies only to a specific system. The first part of this paper does present successfully a not too trival generalization of methods of attack; later a continual battle between trivia and specifics can be seen. Can our readers do better?

This paper discusses the design of a tool that automatically removes security-sensitive information from intruder activity log files collected at a compromised site. The sanitization of sensitive information will enable researchers to further study the log files without further compromising the security of the affected sites. The paper begins with a brief discussion of the importance of such a tool and a description of the complete sanitization process. This follows with an examination of the important design issues of the sanitizer. The paper concludes with the final design of a sanitizer for SunOS based intruder activity logs.

Computer security is a topic of growing concern because, on the one hand, the power of computers continues to increase at exponential speed and all computers are virtually connected to each other and because, on the other hand, the lack of reliability of software systems may cause dramatic and unrecoverable damage to computer systems and hence to the newly emerging computerized society. Among the possible approaches to improve the current situation, expert systems have been advocated to be an important one. Typical tasks that such expert systems can achieve include evaluating the security level of a software configuration and detecting malicious or incorrect behaviors of users. In this paper, we extend our intrusion detection system ASAX with a deductive subsystem that allows us to assess the security level of a software configuration on a real time basis. By coupling the two subsystems - intrusion detection and configuration analysis - we moreover achieve a better tuning of the intrusion detection since the system has only to enable intrusion detection rules that are specifically required by the current state of the configuration. We also report some preliminary performance measurements, which suggest that our approach can be practical in real life contexts.

Sleepless nights face the data-processing manager who attempts to identify the many destructive fates that can await his computer center: fraud, hardware and software failures, operator errors, input errors, programming errors, magnetic erasure, electromagnetic and acoustic monitoring. . . Hardware and software techniques to prevent such disasters as leakage of private information, penetration of a computerized information center, and the alteration or destruction of a data base are surveyed in this article. Areas of concern include remote-terminal access, cryptography, the communication subsystem, threat monitoring, processing controls, certification, and the internal audit.

Computer vulnerabilities seem to be omnipresent. In every system fielded, programming errors, configuration errors, and operation errors have allowed unauthorized users to enter systems, or authorized users to take unauthorized actions. Efforts to eliminate the flaws have failed miserably; indeed, sometimes attempts to patch a vulnerability have increased the danger. Further, designers and implementers rarely learn from the mistakes of others, in part because these security holes are so rarely documented in the open literature.

In this paper, we shall build on prior work to present another taxonomy, and argue that this classification scheme highlights characteristics of the vulnerablilities it classifies in a more useful way than other work. We shall then examine vulnerabilities in the UNIX operating system, its system and ancillary software, and classify the security-related problems several axes, after which we shall examine the earlier work to see if this taxonomy holds for other systems. The unique contribution of this work is an analysis of how to use the Protection Analysis work to improve security of exsisting systems, and how to write programs with minimal exploitable security flaws. This contrasts the work [4], which argued that a preventative approach using formal methods to design secure systems is appropriate. We emphatically agree; however, as nonsecure systems continue to be used, our work is presented with hope it will guide maintainers and software implementers to improve the security of these flawed systems and software.

It is envisioned that asynchronous transfer mode (ATM) will provide scalable and high-performance application-independent security services. The ATM Forum Security Working Group is currently developing its phase one security specification, which defines a number of security services for the ATM user plane and control plane. In addition, mechanisms for carrying security-related messages and required security infrastructure are being defined. These mechanisms will allow an organization to build an ATM network which not only meets its performance objectives, but also its information protection requirements as specified in its site security policy. This article provides an overview of ATM security as specified by the ATM Forum Security Working Group. First, the ATM user and control planes’ security services and mechanisms are described. Then the security messaging mechanisms at connectionn establishment and during connection lifetime phases are discussed.

Asynchonous Transfer Mode (ATM), which can provide integrated services of various media types and bit rates, is rapidly becoming the dominant technology for local and wide area information transport. In this paper we present a network security architecture for secure data transfer in ATM networks. The proposed architecture facilitaes seamless integration of security services into the existing ATM architecture and confirms to the ATM B-ISDN PRM: security related signaling functionality, such as mutual end system authentication, establishment of security associations, and cryptographic key distributions are carried out in the control plane, while protection of traffic is achieved by defining a Data Protection Layer in the user plane.

This contribution proposes a public-key infrastructure for ATM. It defines a framework for a certificate-based public key management and addresses inter- domain certification and certificate revocation. It also proposes a scheme for distribution of certificates and certificate revocation lists in the absense of directory services.

This contibThis contribution proposes a framework for authenticated key distribution in ATM networks in endpoint-to-endpoint, switch-to-switch, and endpoint-to-switch settings. The proposal is for a two-tiered hierarchy with initial pairwise key distribution based on public key cryptography and subsequent session key distribution based on conventional cryptography. All protocols are derived from exsisting international standards and offer flexiblity with respect to the number of message flows and the use of encryption.