S. Kumar. Classi cation and Detection of Computer Intrusions. PhD thesis, Dept. of Computer Science, Purdue University, August 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....to the typical k values, it is important to avoid false positives (i.e. triggering unnecessary alarms for sequences that do not really represent an attack because k is too large) and to avoid false negatives (i.e. missing true attacks) Empirical values of k are typically between 6 and 10. See [17, 14, 13] for justi cations of all these values. An extended version of this problem (namely searching allowing k di erences, or allowing edit distance at most k) has received a lot of attention in the last decades [23] and some of the algorithms can be particularized to solve this problem for one ....

....are free from security aws. Computer systems su er from security vulnerabilities regardless of their purpose, manufacturer or origin. It is both technically hard and economically costly to ensure that systems are not susceptible to attacks. Two approaches have been proposed to address the problem [17, 9, 14]. A rst approach, anomaly detection, suggests that user s activity in the system can be characterized so that a pro le of normal utilization of the system is established and excursions from this pro le are tagged as potential intrusions, or attacks in a more general sense. This approach ....

S. Kumar. Classi cation and Detection of Computer Intrusions. PhD thesis, Dept. of Computer Science, Purdue University, August 1995.

....intruder penetrating the computer system from outside, but more recent investigations have broader scopes. Kumar, for example, de nes anomaly detection as follows: Anomaly detection attempts to quantify the usual or acceptable behavior and ags other irregular behavior as potentially intrusive [75]. Under this de nition, the scope of anomaly detection encompasses not only violations by an outsider but also anomalies arising from violations on the part of an authorized user (the trusted insider threat) Under this de nition, anomaly detection is distinct from misuse detection which attempts ....

....of known attacks, generated by hand from the experience of human operators. This is both labor intensive and su ers from inability to detect previously unknown attack patterns. Nonetheless, some extant systems rely primarily on such rule bases for anomaly detection. Purdue s IDIOT system [15, 75] uses colored petri net models as attack patterns, while the GrIDS [77, 78] system employs subgraph matching rules to examine network interconnection graphs. Such models are expressive and powerful, but, to date, the attack pattern models must still be generated by hand. Signature based detectors ....

S. Kumar. Classication and detection of computer intrusions. PhD thesis, Purdue University, W. Lafayette, IN, 1995.

....privileges to perform unauthorized actions, or attempting to do so. A more accurate phrase to use is intrusion and insider abuse detection. In this document I use the term intrusion to mean both intrusion and insider abuse. I also use the categorization of intrusion detection as provided by Kumar [29]: Signature based detection: Detection is performed by looking for well de ned patterns of attack that exploit weaknesses in the system. The attack patterns are usually referred to as the signature of an intrusion. This type of detection was called misuse detection by Kumar. Anomaly ....

....data generated by the host. One of the rst host based intrusion detection systems implemented was IDES [15, 16, 31, 34] which used both a statistical detection engine based on Denning s model [14] and a rulebased expert system for detecting known intrusions by their signatures [35] Kumar [29] used pattern matching techniques to detect and classify attacks. More recently, Forrest et al. 18] have applied classi cation techniques to sequences of Unix system calls to identify anomalous behavior in Unix processes. Also, Lane and Brodley [30] have used classi cation of command sequences to ....

Sandeep Kumar. Classication and Detection of Computer Intrusions. PhD thesis, Purdue University, West Lafayette, IN 47907, 1995. URL ftp://coast.cs.purdue.edu/pub/COAST/papers/sandeep-kumar/ kumar-intdet-phddiss.ps.Z.

....because they have solved analog problems in domains as computational biology and information retrieval. In intrusion detection, pattern matching algorithms have been proposed as search engines in two di erent intrusion detection models. One is based in the concept of state transition analysis [9, 12] and the the other uses the computer immunology approach proposed in [8] We give an example to illustrate how the pattern matching algorithms presented below can be used to solve an intrusion detection problem. Auditable events in the target system can be seen as letters of an alphabet and the ....

S. Kumar. Classication and Detection of Computer Intrusions. PhD thesis, Dept. of Computer Science, Purdue University, August 1995.

....every agent must process the whole audit trail, which is probably a waste of processing resources. Another possibility is to embed the agents within a central audit server that passes appropriate records to appropriate agents. A version of this approach has successfully been used in the IDIOT IDS [2, 15]. One problem is that this model only supports the push mechanism of client server interaction. This means that the server sends events to the agents as they become available. If an agent is not ready to receive events, those events are lost, unless the agent implements synchronization and ....

Sandeep Kumar. Classication and Detection of Computer Intrusions. PhD thesis, Purdue University, West Lafayette, IN 47907, 1995.

....nature of the intrusions the system should be able to classify, and the nature of the intrusions the intrusion detection system itself should be able to withstand. 16 Papers that do address the question of the nature of the computer security intrusion are [36, 37] and more speci cally [38] and [32]. A paper that concerns itself with the nature of attacks against intrusion detection systems themselves, is [49] The role, and capabilities of the SSO The reliance on some SSO to handle the nal arbitration, and response to the intrusion. 17 The speci c role of the SSO has not been well ....

....cases could be more thorough, but given the current 52 state of a airs, one must of course be satis ed with the fact that the authors make any claims of the e ectiveness, and eciency of the system at all. 2.13 IDIOT An application of petri nets to intrusion detection 2. 13.1 Introduction IDIOT [6, 32 35], is a system developed at COAST, University of Purdue, IN, USA. The basic idea behind IDIOT is to employ coloured Petri nets for signature based intrusion detection. The authors suggest that a layered approach be taken when applying signature (pattern matching) based techniques to the problem of ....

[Article contains additional citation context not shown here]

Sandeep Kumar. Classication and Detection of Computer Intrusions. PhD thesis, Purdue University, West Lafayette, Indiana, August 1995.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC