Paul Helman and Gunar Liepins. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. In IEEE Transactions on Software Engineering, volume Vol 19, No. 9, pages 886--901, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....Basic Security Module [47] Other possible input streams are system call traces and UNIX syslog messages. The detection process can be performed according to different techniques. For example, it is possible to use statistical measures to characterize the normal behavior of users and applications [13, 23, 29]. Deviations from the established profiles are assumed to be evidence of an attack. The problem with these approaches is the difficulty to create a reliable model of the application behavior. An imprecise model may lead to both missed detections (called false negatives) and false alarms (called ....

P. Helman and G. Liepins. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. In IEEE Transactions on Software Engineering, volume Vol 19, No. 9, pages 886--901, 1993.

....di erent approaches: anomaly detection and misuse detection. Anomaly detection relies on models of the normal behavior of a computer system. These models may focus on the users, the applications, or the network. Behavior pro les may be built by performing statistical analysis on historical data [12, 17] or by using rule based approaches to specify behavior patterns [19, 34, 35, 26] Anomaly detection compares actual usage patterns against the established pro les to identify abnormal patterns of activity. Misuse detection systems take a complementary approach. The detection tools are equipped ....

Paul Helman and Gunar Liepins. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. In IEEE Transactions on Software Engineering, volume Vol 19, No. 9, pages 886-901, 1993.

....detection system. Since the publication of her model, intrusion detection researchers have applied a wide variety of methods to detect anomalous activity. The earliest proposed methods for intrusion detection focused on the application of statistical methods to identify anomalous activity [5]. Many early systems [6, 7, 8, 9] employed this method. In addition, a number of on going projects [10, 11, 12, 13] continue to employ statistical methods for anomaly detection, typically in combination with other methods. More recent anomaly detection methods employ a wide variety of ....

Helman, P. and Liepins, G. E., "Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse," IEEE Transactions on Software Engineering, vol. 19, pp. 886-901, 1993.

....detection system. Since the publication of her model, intrusion detection researchers have applied a wide variety of methods to detect anomalous activity. The earliest proposed methods for intrusion detection focused on the application of statistical methods to identify anomalous activity [5]. Many early systems [6, 7, 8, 9] employed this method. In addition, a number of on going projects [10, 11, 12, 13] continue to employ statistical methods for anomaly detection, typically in combination with other methods. More recent anomaly detection methods employ a wide variety of ....

Helman, P. and Liepins, G. E., "Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse," IEEE Transactions on Software Engineering, vol. 19, pp. 886-901, 1993.

....false alarms, because the anomaly detection tool does not really report intrusions but rather anomalous behavior. Another disadvantage is that the implementation can become computationally ineffective. Few articles focus on the problems and limitations of anomaly detection. Helman and Liepins [HL93] made an attempt to quantify the powers and limitations of anomaly detection by creating a formal model for the detection process. Several papers describe approaches that address one or more problems, e.g. Warrender et al. WFP99] address the false alarm rate problem and Lane and Brodley [LB98] ....

Paul Helman and Gunar Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. In IEEE Transactions on Software Engineering, volume 19, pages 886--901, September 1993. ISSN: 0098-5589.

.... and how do we ensure this Transparency How intrusive is the elding of the intrusion detection system to the organisation employing it How many resources will it consume in terms of manpower, etc While interest is being shown in some of these issues, with a few notable exceptions mainly [7] they remain largely unaddressed by the research community. This is perhaps not surprising, since many of these questions are dicult to formulate and answer. For a detailed and thorough survey of research into intrusion detection systems to date see [2] This paper is concerned with one aspect of ....

....results have been published, and the data is unavailable for independent evaluation because of U.S. export restrictions. We have chosen two recent publications [10, 21] on the e ectiveness of several policybased methods, and one theoretically advanced treatise on anomaly based methods [7], on which to base our evaluation. The rst study [21] lists test results for six di erent intrusion detection methods that have been applied to traces of system calls made into the operating system kernel by nine di erent privileged applications in a Unix environment. Most of these traces were ....

[Article contains additional citation context not shown here]

P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886-901, Sept. 1993.

....as a realization of the idea in which two alert levels are set. At the rst alert level, we isolate users accesses when a suspicious behavior is discovered. At the second level, we reject users accesses when an intrusion is reported. Multi level isolation schemes are certainly possible. In [HL93] and [HLR92] a probabilistic model of intrusion detection is proposed in which (1) computer use is modeled as a mixture of two speci c stochastic processes that generate, respectively, normal actions and misuse actions ; and (2) the objective of intrusion detection is to identify the actions ....

.... model, however, in our model the access history of a user, instead of computer use, is modeled as a stochastic process, and the stochastic process is a mapping from discrete time units to a space of two speci c values, namely, TRUSTWORTHY, and MALICIOUS, whereas the stochastic processes in [HL93] and [HLR92] re ect a mapping from discrete time units to a nite action space. Moreover, our model is based on behaviors which are a sequence of actions, whereas the model presented in [HL93] and [HLR92] is based on single actions. In [HL93] and [HLR92] actions are called transactions. 28 ....

[Article contains additional citation context not shown here]

P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886-901, 1993.

....noted in section 3.2, the question of what data to log in order to detect intrusions of varying kinds is still open. We also know little of the way different intrusions manifest themselves when logged by different means. Once again the literature is hardly extensive, although for example[ALGJ98, HL93, LB98] have touched on some of the issues presented in this section, albeit from different angles. 3.4 Decision rule Having made the coordinate transformation in the previous step we then need to decide on a threshold to distinguish between H0 and H1. Of course in the case of a discrete ....

Paul Helman and Gunar Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886-- 901, September 1993.

....an amount of traffic that is to varying degrees similar to the subject we wish to observe. However, we have found no study that goes into detail on the subject of what normal traffic one might expect under what circumstances. Although one paper states that in general it is probably not possible [HL93] we are not as pessimistic. With a sufficiently narrow assumption of operational parameters for the system, we believe useful results can be achieved. This brings us to the results of the security logging in other words what can we observe and what we suspect we should observe given an ....

....observe and what we suspect we should observe given an idea of the nature of the security violation, background behaviour, and observation mechanism. One issue, for example, is be precisely what data to commit to our security log. Again the literature is scarce, although for instance [ALGJ98, HL93, LB98] address some of the issues, albeit from different angles. How then to formulate the rule that governs our intrusion detection decision Perhaps unsurprisingly given the state of research into the previous issues, this also has not been thoroughly addressed. More often than not we have to ....

[Article contains additional citation context not shown here]

Paul Helman and Gunar Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886-- 901, September 1993.

....26] Statistical Analysis involves statistical comparison of current events to a predetermined set of baseline criteria. The technique is most often employed in the detection of deviations from typical behavior and determination of the similarly of events to those which are indicative of an attack [14]. Neural networks were specifically proposed to identify the typical characteristics of system users and identify statistically significant variations from the user s established behavior. Artificial neural networks have also been proposed for use in the detection of computer viruses. In [7] and ....

Helman, P. and Liepins, G., (1993). Statistical foundations of audit trail analysis for the detection of computer misuse, IEEE Trans. on Software Engineering, 19(9):886-901.

No context found.

Paul Helman and Gunar Liepins. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. In IEEE Transactions on Software Engineering, volume Vol 19, No. 9, pages 886--901, 1993.

No context found.

Paul Helman and Gunar Liepins. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. In IEEE Transactions on Software Engineering, volume Vol 19, No. 9, pages 886--901, 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC