Abstract
Most automated packages for intrusion detection focus on determining if a
collection of audit data is suspicious. Package developers assume that
the System Security Officer (SSO) will combine the results of their
tools with a careful inspection of the logs to determine if indeed there
is evidence of intrusive activity. In practice, most administrators
rely exclusively on the conclusions generated by such packages. As a
result, very few methods have been developed to browse the raw audit
trails. This thesis presents a new approach to this problem.
By treating conceptual entities in an audit trail as objects, a
framework for observing how entities interact can be developed. All of
the records of interest are first scanned to determine the objects
and actions of interest. During this initial scanning phase, the
objects are interconnected based on how each affects the other, much
like a directed graph. The vertices and edges represent the objects
and actions respectively. Then, by focusing initially on one object
of interest, a SSO can quickly determine how that object affected or
was affected by any other object by noting the direction and type of
edge connecting the nodes. Say, for example, a process with limited
privilege was able to create a new process with unlimited privileges
by executing one action. The two processes are represented by the
vertices, and the action of gaining privilege could be represented
by a directed edge from the first process to the second. Thus by
focusing on these new objects, the SSO can then determine how other
nodes were directly or indirectly affected by the first object
simply by following the next set of edges.
An initial prototype program was produced and focused on the UNIX
operating system model, and was fairly successful in following
entities in the audit trail. Later efforts tried to extrapolate
the model to more general comutational systems.
Of course, the SSO must still possess technical knowledge of any
system to fully analyze the data and realize the implications
of the actions therein: there is no substitute for such expertise.
This thesis presents a new methodology for browsing such data.