Abstract
The ever-rising complexity of operating systems and communication networks
has resulted in an increased difficulty in designing reliable security
protection mechanisms. As a last line of defense, automated audit trail
analysis can be used to detect various forms of security intrusions.
However, automated audit trail analysis is difficult because of the
complextity of intrusion patterns, of the lack of a complete model of
security intrusions, and of the huge amount of audit data. This difficulty
is even compounded in a distributed environment, where an attack evidence
may span numerous hosts of possibly different architectures, operating
systems, and auditing facilities.
Because of the lack of an accurate model of security intrusions and
because existing audit trails have operating system-specific formats
and semantics, we approach the problem of detecting intrusions by designing
languages and tools for powerful yet convenient data streams analysis.
The proposed approach is independent of any model of security intrusions
and audit data format and semantics, making it possible to implement the
detection of new intrusion scenarios as they are learned by security experts.
This dissertation describes a novel rule-based language (RUSSEL), tailor-made
for efficient processing of sequential unstructured data streams in a
heterogeneous multi-host environment. The proposed approach enables event
correlation occuring at multiple hosts and achieves gradual event abstraction
at different levels. The universality of the analysis is attained by
providing a format adaptor generator, which automatically converts a broad
range of native audit trail formats into a Normalized Audit Data Format (NADF).
The approach is powerful thanks to the rule-based RUSSEL, which allows us
to express and match arbitrary event patterns in the audit trail. The
efficiency of the system is attained by a careful implementation design. We
have also developed a deductive system for continuously checking target-
system security vulnerablilities. The deductive component is coupled with
the audit trail analysis component, therby enabling an adaptive decection
rule set. The proposed approach is computationally viable as suggested by
the performance measurements of the implemented system against real-life
penetrations scenarios.
Performance measurements of the implemented tools on real-life scenarios
(in simulated environments) suggests that the approach is computationally
viable.