The Center for Education and Research in Information Assurance and Security, or CERIAS, is the world's foremost University center for multidisciplinary research and education in areas of information security. Our areas of research include computer, network, and communications security as well as information assurance.

This site's design is only visible in a graphical browser that supports web standards, but its content is accessible to any browser or Internet device. (Why?)

Center for Education and Research in Information Assurance and Security

COAST Security Archive Logo Category Index: /pub/doc/intrusion_detection

No Pointing!

This WWW page was generated automatically. Link makers should not point their links to this page. If you must, please make a link to the search entry point.

Naji Habra, Baudouin Le Charlier, Abdelaziz Mounji, Isabelle Mathieu, "ASAX: Software Architecture and Rule-base Language for Universal Audit Trail Analysis
Keywords: audit, rulebase, analysis
Abstract: After a brief survey of the problems related to audit trail analysis and of some approaches to deal with them, the paper outlines the project ASAX which aims at providing an advanced tool to support such analysis. One key feature of ASAX is its elegant architecture build on top of a universal analysis tool allowing any audit trail to be analyzed after a straight format adaptation. Another key feature of the project ASAX is the language RUSSEL used to express queries on audit trails. RUSSEL is a rule-based language which is tailor-made for the analysis of sequential files in one and only one pass. The conception of RUSSEL makes a good compromise with respect to the needed efficiency on the one hand and to the suitable declarative look on the other hand. The language is illustrated by examples of rules for the detection of some representative classical security breaches.

Naji Habra, Baudouin Le Charlier, Abdelaziz Mounji, Isabelle Mathieu, Preliminary Report on Advanced Security Audit Trail Analysis on UNIX
Keywords: intrusion, detection, audit
Abstract: The ASAX project is a joint project involving SWN in Rhines and the Institut d'Informatique (FUNDP) in Namur. This project aims at defining and implementing a commercial system for universal, efficient and powerful audit trail analysis corresponding to security level B3. However, implementation of a commercial system is only a middle term objective. In the short term it has been decided to specify, design and implement a prototype version of the system. This prototype version will be satisfactory only if it demonstrates the feasibility of these main features of the system: universality, efficiency and power.

Mark Crosbie, Bryn Dole, Todd Ellis, Ivan Krsul, Eugene Spafford, IDIOT - Users Guide
Keywords: IDIOT, intrusion detection
Abstract: This manual gives a detailed technical description of the IDIOT intrusion detection system from the COAST Laboratory at Purdue University. It is intended to help anyone who wishes to use, extend or test the IDIOT system. Familiarity with security issues, and intrusion detection in particular, is assumed.

Aurobindo Sundaram, An Introduction to Intrusion Detection (A related WWW homepage exists for this item)
Keywords: intrusion, detection, security
Abstract: This is a survey paper on intrusion detection. It explains the different types of intrusion detection methods (misuse and anomaly), gives different implementation techniques and advantages and disadvantages of present methods

Abdelaziz Mounji, Baudouin Le Charlier, Denis Zampunieris, Naji Habra, Distributed Audit Trail Analysis
Keywords: distributed, audit, analysis, intrusion, detection
Abstract: An implemented system for on-line analysis of multiple distributed data streams is presented. The system is conceptually universal since it does not rely on any particular platform feature and uses format adaptors to translate data streams into its own standard format. The system is as powerful as possible (from a theoretical standpoint) but still efficient enough for on-line analysis thanks to its novel rule-based language (RUSSEL) which is specifically designed for efficient processing of sequential unstructured data streams. In this paper, the generic concepts are applied to security audit trail analysis. The resulting system provides powerful network security monitoring and sophisticated tools for intrusion/anomaly detection. The rule-based and command languages are described as well as the distributed architecture and the implementation. Performance measurements are reported, showing the effectiveness of the approach.

Taimur Aslam, Ivan Krsul, Eugene H. Spafford, Use of A Taxonomy of Security Faults
Keywords: taxonomy, security faults, database, classification, intrusion detection, static audit analysis, fault detection
Abstract: Security in computer systems is important so as to ensure reliable operation and to protect the integrity of stored information. Faults in the implementation of critical components can be exploited to breach security and penetrate a system. These faults must be identified, detected, and corrected to ensure reliability and safeguard against denial of service, unauthorized modification of data, or disclosure of information. We define a classification of security faults in the Unix operating system. We state the criteria used to categorize the faults and present examples of the different fault types. We present the design and implementation details of a prototype database to store vulnerability information collected from different sources. The data is organized according to our fault categories. The information in the database can be applied in static audit analysis of systems, intrusion detection, and fault detection. We also identify and describe software testing methods that should be effective in detecting different faults in our classification scheme.

Jeremy Frank, Artificial Intelligence and Intrusion Detection: Current and Future Directions
Abstract: Intrusion Detection systems (IDSs) have previously been built by hand. These systems have difficulty successfully classifying intruders, and require a significant amount of computa- tional overhead making it difficult to create robust real-time IDS systems. Artificial Intelligence techniques can reduce the human effort required to build these systems and can improve their performance. Learning and induction are used to improve the performance of search problems, while clustering has been used for data analysis and reduction. AI has recently been used in Intrusion Detection (ID) for anomaly detection, data reduction and induction, or discovery, of rules explaining audit data. We survey uses of artificial intelligence methods in ID, and present an example using feature selection to improve the classification of network connections. The network connection classification problem is related to ID since intruders can create "private" communications services undetectable by normal means. We also explore some areas where AI techniques may further improve IDSs.

Abdelaziz Mounji, Advanced Security audit trail Analysis on uniX
Keywords: audit trail, analysis, intrusion detection, asax
Abstract: This document is a description of the ASAX tool. ASAX is used for audit trail analysis. It is described briefly below: INTRODUCTION Analyzing substantial amounts of data and extract ing relevant information out of huge sequential files has always been a nightmare. And ... it will probably remain so, unless you use ASAX, FUNDP' Advanced Security audit trail Analyzer on uniX. Using highly sophisticated and powerful algorithms, ASAX tremendously simplifies the intelligent analysis of sequential files. Of course, the data should fit the analyzer. Therefore, ASAX has defined a normalized audit file format (NADF) with built-in flexibility to guarantee a simple and straightforward translation of any stream of native data into the normalized sequential files ASAX understands. But ASAX's real power is unleashed by deploying its embedded, easy to use rule based language RUSSEL; this tailor-made analysis tool solves very intricate queries on any sequential data.

National Computer Security Center, A Guide to Understanding Audit in Trusted Systems
Abstract: This publication, is being issued by the National Computer Security Center (NCSC) under the authority of and in accordance with Department of Defense (DoD) Directive 5215.1. The guidelines described in this document provide a set of good practices related to the use of auditing in automatic data processing systems employed for processing classified and other sensitive information.

Victor H. Marshall, Intrusion Detection In Computers
Abstract: Summary of the Trusted Information Systems (TIS) report on intrusion detection systems. Computer system security officials typically have very few, if any, good automated tools to gather and process auditing information on potential computer system intruders. It is most challenging to determine just what actions constitute potential intrusion in a complex mainframe computer environment. Trusted Information Systems (TIS), Inc. recently completed a survey to determine what auditing tools are available and what further research is needed to develop automated systems that will reliably detect intruders on mainframe computer systems. Their report

S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, GrIDS - A Graph Based Intrusion Detection System for Large Networks
Keywords: intrusion detection, networks, information warfare, computer security, graphs
Abstract: There is widespread concern that large-scale malicious attacks on computer networks could cause serious disruption to network services. We present the design of GrIDS (Graph-Based Intrusion Detection System). GrIDS collects data about activity on computers and network traffic between them. It aggregates this information into activity graphs which reveal the causal struccture of network activity. This allows large-scale automated or co-ordinated attacks to be detected in near real-time. In addition, GrIDS allows network administrators to state policies specifying which users may use particular services of individual hosts or groups of hosts. By analyzing the characteristics of the activity graphs, GrIDS detects and reports violations of the stated policy. GrIDS uses a hierarchical reduction scheme for the graph construction, which allows it to scale to large networks. An early prototype of GrIDS has successfully detected a worm attack.

Sandeep Kumar, Eugene H. Spafford, Pattern Matching Model for Misuse Intrusion Detection
Abstract: This paper describes a generic model of matching that can be usefully applied to misuse intrusion detection. The model is based on Colored Petri Nets. Guards define the context in which signatures are matched. The notion of start and final states, and paths between them define the set of event sequences matched by the net. Partial order matching can also be specified in this model. The main benefits of the model are its generality, portability and flexibility.

Sandeep Kumar, Eugene H. Spafford, An Application of Pattern Matching in Intrusion Detection
Abstract: This report examines and classifies the characteristics of signatures used in misuse intrusion detection. Efficient algorithms to match patterns in some of these classes are described. A generalized model for matching intrusion signatures based on Colored Petri Nets is presented, and some of its properties are derived.

Sandeep Kumar, Eugene H. Spafford, A Software Architecture to support Misuse Intrusion Detection.
Abstract: Misuse Intrusion Detection has traditionally been understood in the literature as the detection of specific, precisely representable techniques of computer system abuse. Pattern matching is well disposed to the representation and detection of such abuse. Each specific method of abuse can be represented as a pattern and many of these can be matched simultaneously against the audit logs generated by the OS kernel. Using relatively high level patterns to specify computer system abuse relieves the pattern writer from having to understand and encode the intricacies of pattern matching into a misuse detector. Patterns represent a declarative way of specifying what needs to be detected, instead of specifying how it should be detected. We have devised a model of matching based on Colored Petri Nets specifically targeted for misuse intrusion detection. In this paper we present a software architecture for structuring a pattern matching solution to misuse intrusion detection. In the context of an object oriented prototype implementation we describe the abstract classes encapsulating generic functionality and the inter-relationships between the classes.

Mark Crosbie, Eugene Spafford, Applying Genetic Programming to Intrusion Detection
Keywords: intrusion detection, genetic programming
Abstract: This paper presents a potential solution to the intrusion detection problem in computer security. It uses a combination of work in the fields of Artificial Life and computer security. It shows how an intrusion detection system can be implemented using autonomous agents, and how these agents can be built using Genetic Programming. It also shows how Automatically Defined Functions (ADFs) can be used to evolve genetic programs that contain multiple data types and yet retain type-safety. Future work arising from this is also discussed..

Mark Crosbie Gene Spafford, Defending a Computer System using Autonomous Agents
Abstract: This report presents a prototype architecture of a defense mechanism for computer systems. The intrusion detection problem is introduced and some of the key aspects of any solution are explained. Standard intrusion detection systems are built as a single monolithic module. A finer-grained approach is proposed, where small, independent agents monitor the system. These agents are taught how to recognise intrusive behaviour. The learning mechanism in the agents is built using Genetic Programming. This is explained, and some sample agents are described. The flexibility, scalability and resilience of the agent approach are discussed. Future issues are also outlined.

Calvin Ko, Deborah A. Frincke, Terrence Goan Jr., L. Todd Heberlein, Karl Levitt, Biswanath Mukherjee, Christopher Wee, Analysis of an Algorithm for Distributed Recognition and Accountability
Abstract: Computer and network systems are vulnerable to attacks. Abandoning the existing huge infrastructure of possibly-insecure computer and network systems is impossible, and replacing them by totally secure systems may not be feasible or cost effective. A common element in many attacks is that a single user will often attempt to intrude upon multiple resources throughout a network. Detecting the attack can become significantly easier by compiling and integrating evidence of such intrusion attempts across the network rather than attempting to assess the situation from the vantage point of only a single host. To solve this problem, we suggest an approach for distributed recognition and accountability (DRA), which consists of algorithms which "process", at a central location, distributed and asynchronous "reports" generated by computers (or a subset thereof) throughout the network. Our highest-priority objectives are to observe ways by which an individual moves around in a network of computers, including changing user names to possibly hide his/her true identity, and to associate all activities of multiple instances of the same individual to the same network-wide user. We present the DRA algorithm and a sketch of its proof under an initial set of simplifying albeit realistic assumptions. Later, we relax these assumptions to accommodate pragmatic aspects such as missing or delayed "reports", clock skew, tampered "reports", etc. We believe that such algorithms will have widespread applications in the future, particularly in intrusion-detection systems.

Matt Bishop, A Standard Audit Log Format (A related WWW homepage exists for this item)
Keywords: audit trails, logs, intrusion detection
Abstract: This document describes a standard audit log format. Examples of log records were taken from very different systems and shown how they could be put into the standard log format. It was demonstrated that the log format can handle a variety of systems and security policies, from intrusion detection to financial records.

Koral Ilgun, USTAT: A Real Time Intrusion Detection System for UNIX
Abstract: This thesis presents the design and implementation of a real-time intrusion detection tool called USTAT, a State Transition Analysis Tool for UNIX. The original design was first developed by Phillip A. Porras and presented in [Porr91] as STAT, a State Transition Analysis Tool. STAT is a new model for representing computer penetrations, and the model is applied to the development of a real-time intrusion detection tool. In STAT, a penetration is identified as a sequence of state changes that take the computer system from some initial state to a target compromised state. In this document, the development of the first USTAT prototype, which is for SunOS 4.1.1, is described. USTAT makes use of the audit trails that are collected by the C2 Basic Security Module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records.


O Built by Mark Crosbie and Ivan Krsul.

Security Archive Page Security Archive Homepage.

COAST Homepage COAST Project (CERIAS)Page.

Purdue CS Homepage Purdue CS Dept page. (COAST Security Archive)