Abstract
Although a computer system's primary defense is its access controls, computer system access control cannot be relied upon in most cases to safeguard against a penetration or insider attack. Even the most secure systems are vulnerable to abuse by insiders who misuse their privileges, and audit trails may be the only means of detecting authorized but abusive user activity. While many computer systems collect audit data, most do not have any capability for automated analysis of that data. Moreover, many systems collect large voilumes of data that are not necesarily security relevant. To address the need for automated security analysis of audit trails, SRI is developing a real-time intrusion-detection expert system (NIDES). NIDES is an independent system that runs on its own workstation and processes audit data characterizing user acytivity received from a large target system. NIDES provides a system-independent mechanism for real-time detection of security violations, whether they are initiated by outsiders who attempt to break into a system or by insiders who attempt to misuse their privleges. NIDES detects masquerades by keeping statistical profiles of past user behavior and raising an alarm when observed activity departs from established patterns of use for individual users. NIDES also includes expert-system rules that characterize certain types of intrusion scenarios.