We present a formal model of security monitoring that distinguishes two different methods of recording information (logging) and to different methods of analyzing information (auditing).  From this model we draw implications for the design and use of security monitoring mechanisms.  We then apply the model to security mechanisms for statistical databases, monitoring mechanisms for computer systems, and backups, to demonstrate the model\‘s usefulness.

Intrusion detection systems have usually been developed using large host-based components. These components impose an extra load on the system where they run (sometimes even requiring a dedicated system) and are subject to tampering or disabling by an intruder.  Additionally, intrusion detection systems have usually obtained information about host behavior through indirect means, such as audit trails or network packet traces. This potentially allows intruders to modify the information before the intrusion detection system obtains it, making it possible for an intruder to hide his activities.  In this document I propose work that will attempt to show that it is possible to perform intrusion detection using small sensors embedded in a computer system. These sensors will look for signs of specific intrusions.  They will perform target monitoring by observing the behavior of the system directly, instead of through an audit trail or other indirect means. Furthermore, by being built into the code of the operating system and its programs, they may not impose a considerable extra load on the host they monitor.  I will also explore the possibility of applying a group of sensors built to detect known intrusions, to detecting new intrusions. If this is shown to be possible, it would be a step towards determining the types of data that need to be collected to successfully detect new intrusions.  The work I propose is divided in four stages: a) building the necessary infrastructure for the implementation of the sensors, b) implementing sensors for detecting known intrusions, c) testing new attacks against the group of implemented sensors, and d) performing analysis on the data obtained in step (c) to determine if the existing sensors can be used to detect new attacks.

This poster presents a new approach and a tool to protect freely distributed software applications against unauthorized usage.  The approach aims to provide an optimal degree of security while simultaneously maintaining an acceptable performance level.  The tool demonstrates that the new approach combined with powerful smartcards with high processing and storage capacity, permit the implementation of a practical software protection system where decryption and execution of software fragments are handled by the smartcard, and no longer by the host.

We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder\‘s traffic transits.  We give an overview of the system\‘s design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility.  To achieve these ends, Bro is divided into an \“event engine\” that reduces a kernelfiltered network traffic stream into a series of higherlevel events, and a \“policy script interpreter\” that interprets event handlers written in a specialized language used to express a site\‘s security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog.  We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the four applications integrated into it so far: Finger, FTP, Portmapper and Telnet.  The system is publicly available in source code form.

Traditional computer security has often emphasized prevention, and to a lesser degree, the detection of system security violations.  However, it is recognized that the forensic aspect to the overall model of computer security is equally as important.  The area of computer forensics lends itself heavily to the response of a criminal violation that has already occurred ono a system.  This paper views a forensic application within the framework of Intrusion Detection and details work accomplished on a prototype anomaly Intrusion Detection system.

We discuss the KDD process in \“data-flow\” environments, where unstructured and time dependent data can be processed into various levels of structured and semantically-rich forms for analysis tasks.  Using network intrusion detection as a concrete application example, we describe how to construct models that are both accurate in describing the underlying concepts, and efficient when used to analyze data in real-time.  We prsent procedures for analyzing frequent patterns from lower level data and constructing appropriate features to formuate higher level data.  The features generated from various levels of data have different computational costs (in time and space).  We show that in order to minimize the time required in using the classification models in real-time environment, we can exploit the \“necessary conditions\” associated with the low-cost features to determine whether some high-cost features need to be computed and the corresponding classification rules need to be checked.  We have applied our tools to the problem of building network intrusion detection models.  We report our experiments using the network data provided as part of the 1998 DARPA Intrusion detection Evaluation program.  We also discuss our experience in using the mined models in NFR, a real-time network intrusion detection system.

After summarizing the EMERALD architecture and the evolutionary process from which EMERALD has evolved, this paper focuses on our experienceto date in designing, implementing, and applying EMERALD to various types of anomalies and misuse.  The discussion addresses the fundamental importance of good software engineering practice and the importance of the system architecture….

To build survivable information systems (i.e., systems that continue to provide their services in spite of coordinated attacks), it is necessary to detect and isolate intrusions before they impact system performance or functionality.  Previous research in this area has focused primarily on detecting intrusions after the fact, rather than preventing them in the first place.  We have developed a new approach based on specifying intended program behaviors using patterns over sequences of system calls.  The pattern can also capture conditions on the values of system-call arguments.  At runtime, we intercept the system calls made by processes, compare them against specifications, and disallow (or otherwise modify) those calls that deviate from specifications.  Since our approach is capable of modifying a system call before it is delivered to the operating system kernel, it is capable of reacting before any damage-causing system call is executed by a process under attack.  We present our specification language and illustrate its use by developing a specification for the ftp server.  Observe that in our approach, every system call is intercepted and subject to potentially expensive operations for matching against many patterns that specify normal/abnormal behavior.  Thus , minimizing the overheads incurred for pattern-matching is critical for the viability of our approach.  We solve this problem by developing a new, low-overhead algorithm for matching runtime behaviors against specifications.  A salient feature of our algorithm is that its runtime is almost independent of the number of patterns.  In most cases, it uses a constant amount of time per system call intercepted, and uses a constant amount of storage, both independent of either the size or number of patterns.  These benefits make our algorithm useful for many other intrusion detection methods that employ pattern-matching.  We describe our algorithm, and evaluate its performance through experiments.

A temporal RBAC (TRBAC) model has recently been proposed that addresses the temporal aspects of roles and trigger-based role enabling. However, it is limited to constraints on enabling of roles only. We propose a Generalized Temporal Role Based Access Control model (GTRBAC) that is capable of expressing a wider range of temporal constraints. GTRBAC is capable of expressing periodic as well as duration constraints on roles, user-role assignments and role-permission assignments. In GTRBAC, temporal constraints on role enablings and role activations can be separately specified. A user-activated role can further be restricted to various activation constraints such as cardinality constraint or maximum active duration constraint within a specified interval. The GTRBAC model extends the syntactic structure of TRBAC model and its event and trigger expressions subsume those of TRBAC.

Analysis methods for cryptographic protocols have often focused on information leakage rather than on seeing whether a protocol meets its goals.  Many protocols, however, fall far short of meeting their goals, sometimes for quite subtle reasons