Title: A Guide to Understanding Audit in Trusted Systems
Authors: National Computer Security Center
Abstract:
- This publication, is being issued by the National Computer Security
Center (NCSC) under the authority of and in accordance with
Department of Defense (DoD) Directive 5215.1. The guidelines
described in this document provide a set of good practices
related to the use of auditing in automatic data processing
systems employed for processing classified and other sensitive
information.
Title: An Application of Pattern Matching in Intrusion Detection
Authors: Sandeep Kumar Eugene H. Spafford
Abstract:
- This report examines and classifies the characteristics of signatures
used in misuse intrusion detection. Efficient algorithms to match
patterns in some of these classes are described. A generalized model
for matching intrusion signatures based on Colored Petri Nets is
presented, and some of its properties are derived.
Title: Artificial Intelligence and Intrusion Detection: Current and Future Directions
Authors: Jeremy Frank
Abstract:
- Intrusion Detection systems (IDSs) have previously been
built by hand. These systems have difficulty successfully classifying
intruders, and require a significant amount of computa- tional
overhead making it difficult to create robust real-time IDS systems.
Artificial Intelligence techniques can reduce the human effort
required to build these systems and can improve their performance.
Learning and induction are used to improve the performance of search
problems, while clustering has been used for data analysis and
reduction. AI has recently been used in Intrusion Detection (ID) for
anomaly detection, data reduction and induction, or discovery, of
rules explaining audit data. We survey uses of artificial
intelligence methods in ID, and present an example using feature
selection to improve the classification of network connections. The
network connection classification problem is related to ID since
intruders can create "private" communications services undetectable by
normal means. We also explore some areas where AI techniques may
further improve IDSs.
Title: Analysis of an Algorithm for Distributed Recognition and Accountability
Authors: Calvin Ko Deborah A. Frincke Terrence Goan Jr. L. Todd Heberlein Karl Levitt Biswanath Mukherjee & Christopher Wee
Abstract:
- Computer and network systems are vulnerable to attacks. Abandoning
the existing huge infrastructure of possibly-insecure computer and
network systems is impossible, and replacing them by totally secure
systems may not be feasible or cost effective. A common element in
many attacks is that a single user will often attempt to intrude upon
multiple resources throughout a network. Detecting the attack can
become significantly easier by compiling and integrating evidence of
such intrusion attempts across the network rather than attempting to
assess the situation from the vantage point of only a single host. To
solve this problem, we suggest an approach for distributed recognition
and accountability (DRA), which consists of algorithms which
"process", at a central location, distributed and asynchronous
"reports" generated by computers (or a subset thereof) throughout the
network. Our highest-priority objectives are to observe ways by which
an individual moves around in a network of computers, including
changing user names to possibly hide his/her true identity, and to
associate all activities of multiple instances of the same
individual to the same network-wide user. We present the DRA
algorithm and a sketch of its proof under an initial set of
simplifying albeit realistic assumptions. Later, we relax these
assumptions to accommodate pragmatic aspects such as missing or
delayed "reports", clock skew, tampered "reports", etc. We believe
that such algorithms will have widespread applications in the future,
particularly in intrusion-detection systems.
Title: Intrusion Detection In Computers
Authors: Victor H. Marshall
Abstract:
- Summary of the Trusted Information Systems (TIS) report on intrusion
detection systems. Computer system security officials
typically have very few, if any, good automated tools to gather
and process auditing information on potential computer system
intruders. It is most challenging to determine just what actions
constitute potential intrusion in a complex mainframe computer
environment. Trusted Information Systems (TIS), Inc. recently
completed a survey to determine what auditing tools are available
and what further research is needed to develop automated systems
that will reliably detect intruders on mainframe computer
systems. Their report #348 was done for the Air Force and
includes details on nine specific software tools for intrusion
detection.
Title: USTAT: A Real Time Intrusion Detection System for UNIX
Authors: Koral Ilgun
Abstract:
- This thesis presents the design and implementation of a real-time intrusion
detection tool called USTAT, a State Transition Analysis Tool for UNIX. The
original design was first developed by Phillip A. Porras and presented in
[Porr91] as STAT, a State Transition Analysis Tool. STAT is a new model for
representing computer penetrations, and the model is applied to the
development of a real-time intrusion detection tool. In STAT, a
penetration is identified as a sequence of state changes that take the
computer system from some initial state to a target compromised state.
In this document, the development of the first USTAT prototype, which is
for SunOS 4.1.1, is described. USTAT makes use of the audit trails that are
collected by the C2 Basic Security Module of SunOS, and it keeps track of
only those critical actions that must occur for the successful completion
of the penetration. This approach differs from other rule-based penetration
identification tools that pattern match sequences of audit
records.
|