Abstract
This paper presents a new approach to representing and detecting computer
penetrations in real-time. The approach, called state transistion analysis,
models penetrations as a series of state changes that lead from an initial secure
state to a target compromised state. State transition diagrams, the graphical
representation of penetrations, identify precisely the requirements for the
compromise of a penetration and present only the critial events that must occur
for the successful completion of the penetration. State transition diagrams
are written to correspond to the states of an actual computer system, and
these diagrams form the basis of a rule-based expert system for detecting
penetrations, called the state transition analysis tool (STAT). The design
and implementation of a UNIX-specific prototype of this expert system,
called USTAT, is also presented. This prototype provides a further illustration
of the overall design and functionality of this intrusion detection approach. Lastly
STAT is compared to the functionality of comparable intrusion detection tools.