Languages and Tools for Rule-Based Distributed Intrusion Detections

Get BibTex-formatted data

Author

Abelaziz Mounji

Entry type

phdthesis

Abstract

The ever-rising complexity of operating systems and communication networks has resulted in an increased difficulty in designing reliable security protection mechanisms. As a last line of defense, automated audit trail analysis can be used to detect various forms of security intrusions. However, automated audit trail analysis is difficult because of the complextity of intrusion patterns, of the lack of a complete model of security intrusions, and of the huge amount of audit data. This difficulty is even compounded in a distributed environment, where an attack evidence may span numerous hosts of possibly different architectures, operating systems, and auditing facilities. Because of the lack of an accurate model of security intrusions and because existing audit trails have operating system-specific formats and semantics, we approach the problem of detecting intrusions by designing languages and tools for powerful yet convenient data streams analysis. The proposed approach is independent of any model of security intrusions and audit data format and semantics, making it possible to implement the detection of new intrusion scenarios as they are learned by security experts. This dissertation describes a novel rule-based language (RUSSEL), tailor-made for efficient processing of sequential unstructured data streams in a heterogeneous multi-host environment. The proposed approach enables event correlation occuring at multiple hosts and achieves gradual event abstraction at different levels. The universality of the analysis is attained by providing a format adaptor generator, which automatically converts a broad range of native audit trail formats into a Normalized Audit Data Format (NADF). The approach is powerful thanks to the rule-based RUSSEL, which allows us to express and match arbitrary event patterns in the audit trail. The efficiency of the system is attained by a careful implementation design. We have also developed a deductive system for continuously checking target- system security vulnerablilities. The deductive component is coupled with the audit trail analysis component, therby enabling an adaptive decection rule set. The proposed approach is computationally viable as suggested by the performance measurements of the implemented system against real-life penetrations scenarios. Performance measurements of the implemented tools on real-life scenarios (in simulated environments) suggests that the approach is computationally viable.

Date

1997 – September

Key alpha

Mounji

Publication Date

0000-00-00

Location

A hard-copy of this is in the Papers Cabinet

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Phdthesis{ Mounji,
	title = "Languages and Tools for Rule-Based Distributed Intrusion Detections",
	author = "Abelaziz Mounji",
	year = "1997",
	month = "September",
	abstract = "The ever-rising complexity of operating systems and communication networks
has resulted in an increased difficulty in designing reliable security
protection mechanisms. As a last line of defense, automated audit trail
analysis can be used to detect various forms of security intrusions.
However, automated audit trail analysis is difficult because of the
complextity of intrusion patterns, of the lack of a complete model of
security intrusions, and of the huge amount of audit data. This difficulty
is even compounded in a distributed environment, where an attack evidence
may span numerous hosts of possibly different architectures, operating
systems, and auditing facilities.
Because of the lack of an accurate model of security intrusions and
because existing audit trails have operating system-specific formats
and semantics, we approach the problem of detecting intrusions by designing
languages and tools for powerful yet convenient data streams analysis.
The proposed approach is independent of any model of security intrusions
and audit data format and semantics, making it possible to implement the
detection of new intrusion scenarios as they are learned by security experts.
This dissertation describes a novel rule-based language (RUSSEL), tailor-made
for efficient processing of sequential unstructured data streams in a
heterogeneous multi-host environment. The proposed approach enables event
correlation occuring at multiple hosts and achieves gradual event abstraction
at different levels. The universality of the analysis is attained by
providing a format adaptor generator, which automatically converts a broad
range of native audit trail formats into a Normalized Audit Data Format (NADF).
The approach is powerful thanks to the rule-based RUSSEL, which allows us
to express and match arbitrary event patterns in the audit trail. The
efficiency of the system is attained by a careful implementation design. We
have also developed a deductive system for continuously checking target-
system security vulnerablilities. The deductive component is coupled with
the audit trail analysis component, therby enabling an adaptive decection
rule set. The proposed approach is computationally viable as suggested by
the performance measurements of the implemented system against real-life
penetrations scenarios.
Performance measurements of the implemented tools on real-life scenarios
(in simulated environments) suggests that the approach is computationally
viable.",
}