Abstract
A model of a real-time intrusion-detection expert system capable of detecting
break-ins, penetrations, and other forms of computer abuse is described. The
model is based on the hypothesis that security violations can be detected
by monitoring a system's audit records for abnormal patterns of system usage.
The model includes profiles for representing the behavior of subjects with
respect to objects in terms of metrics and statistical models, and rules for
acquiring knowledge about the behavior from audit records and for detecting
anomalous behavior. The model is independent of any particular system,
application environment, system vulnerability, or type of intrusion, thereby
providing a framework for a general-purpose intrusion detection expert system.