Abstract
Today's computer systems are vulnerable both to abuse by insiders and to
penetration by outsiders, as evidenced by the growing number of incidents reported
in the press. To close all security loopholes from today's systems is infeasible, and
no combination of technologies can prevent legitimate users from abusing their
authority in a system; thus auditing is viewed as the last line of defense.
Over the past several years, the computer security community has been developing
automated tools to analyze computer system audit data for suspicious user behavior.
This paper describes the use of such tools for detecting computer system intrusion
and describes futher technologies that may be of use for intrusion detection in the
future.