G. Vigna, S. Eckmann, and R. Kemmerer. The stat tool suite. In In Proceedings of DISCEX, 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....complement the networkbased sensors by monitoring events at the operating system level. EMERALD eXpert BSM [15] analyzes the audit records generated by the Sun Solaris Basic Security Module (BSM) to perform real time signature based detection. We are investigating deploying STAT hostbased monitors [31] and Real Secure sensors [12] to monitor the other operating system platforms, including Windows. The generated alerts must be in a common format, such as IDMEF [5] accepted by the correlation engines. Host based application level sensors couple with an application to obtain high level, ....

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT tool suite. In DISCEX 2000. IEEE press, Jan. 2000.

....Adaptive Intrusion Tolerant Server Architecture # Alfonso Valdes Magnus Almgren Steven Cheung Yves Deswarte Bruno Dutertre Joshua Levy Hassen Sadi Victoria Stavridou Tomas E. Uribe System Design Laboratory, SRI International, 333 Ravenswood Ave. Menlo Park, CA 94025 Contact Author: Alfonso Valdes Email: valdes sdl.sri.com Phone: 650) 859 4976; FAX: 650) 859 2844 December 10, 2001 Abstract We describe a general architecture for intrusion tolerant enterprise systems and the implementation of an intrusion tolerant Web server as a specific instance. ....

....Architecture # Alfonso Valdes Magnus Almgren Steven Cheung Yves Deswarte Bruno Dutertre Joshua Levy Hassen Sadi Victoria Stavridou Tomas E. Uribe System Design Laboratory, SRI International, 333 Ravenswood Ave. Menlo Park, CA 94025 Contact Author: Alfonso Valdes Email: valdes sdl.sri.com Phone: 650) 859 4976; FAX: 650) 859 2844 December 10, 2001 Abstract We describe a general architecture for intrusion tolerant enterprise systems and the implementation of an intrusion tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on ....

[Article contains additional citation context not shown here]

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT tool suite. In DISCEX

....as a character, the audit trail a main string and the scenarios as sub strings to locate in this main string. Thus the attack is represented as a regular expression and pattern matching can do detection. A state transition approach (which may be boiled down to a regular expression) as used in STAT[16], USTAT[17] NetSTAT [18] Graphbased detection trying to build a graph with particular events, as used in GrIDS (Graphbased Intrusion Detection System) 19] and Petri Nets approaches are variants of the same. Thus, these classifications try to define the various dimensions of an intrusion ....

G. Vigna, S. T. Eckmann, and R. A. Kemmerer, "The STAT Tool Suite," Proceedings of DISCEX 2000, Hilton Head Island, January 2000, IEEE Press, New York 2000.

No context found.

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000.

....system that detects attacks that are initiated by malicious Java code. To implement our system, We leveraged two existing technologies: a high performance, open source, Java Virtual Machine, called JikesRVM [1] and an intrusion detection framework, called STAT, that we developed in prior work [50]. In this paper, we describe the JVM auditing mechanisms and the intrusion detection tool that we implemented, and provide a quantitative evaluation of the performance of our system. In the next section, we place our work in the context of existing approaches to intrusion detection. In Section 3, ....

....and status values, e.g. errno values. 5 Detecting Malicious Java Code The event stream produced by the JikesRVM event logger thread is used by an intrusion detection system to identify possible threats and attacks. The intrusion detection system was developed leveraging the STAT framework [26, 50]. The STAT framework provides a generic signature based intrusion detection engine that can be extended to match a specific environment through a welldefined process. The first step of the extension process includes the definition of a language extension module. This module extends STATL [14] ....

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000.

....the STAT framework [33] The STAT framework provides a platform for the development of intrusion detection sensors by extending a generic runtime with domain speci c components. The STAT framework is centered around three concepts: the STAT technique, the STATL language, and the STAT Core [31]. The STAT technique is used to represent high level descriptions of computer attacks. Attack scenarios are abstracted into states, which describe the security status of a system, and transitions, which model the evolution between states. STATL is an extensible language [7] that is used to ....

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.

....and also supports simple decoding of RPC requests. Snort enjoys wide popularity and is well supported by a large community. This paper considers automated translation of Snort rules to STATL scenarios. STAT is a framework developed by the Reliable Software Group at UCSB for building IDSs [6]. The STAT framework includes a domain independent attack description language called STATL [1] The family of IDSs that have been built as STAT extensions includes a networkbased system called NetSTAT [7] NetSTAT includes support for the Snort supported protocols and others (e.g. ethernet and ....

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX

....attacks, and it has been tailored to very different environments, e.g. Sun Microsystems Solaris and Microsoft s Windows NT. An implementation of the runtime support for the STATL language has also been developed and a toolset of intrusion detection systems based on STATL has been implemented [VEK00]. Even though the language was originally developed to support the development of intrusion detection systems based on the State Transition Analysis Technique (STAT) IKP95] STATL is general and flexible enough to be used as a common language for different misuse detection systems. This report ....

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX

....attacks, and it has been tailored to very different environments, e.g. Sun Microsystems Solaris and Microsoft s Windows NT. An implementation of the runtime support for the STATL language has also been developed and a toolset of intrusion detection systems based on STATL has been implemented [35]. Even though the language was originally developed to support the development of intrusion detection systems based on the State Transition Analysis Technique (STAT) 15] STATL is general and flexible enough to be used as a common language for different misuse detection systems. This paper ....

....are dynamically loaded into the intrusion detection application at runtime, and the intrusion detection system equipped with the scenario plugins can then process the system s event stream, looking for attack signatures. The details of the compilation translation process are given elsewhere [37, 35]. Section 7 describes the core based STAT toolset in more detail. Developing a family of intrusion detection systems demonstrated that the core based approach supports reuse, portability, extensibility, and customization. In addition, separating the critical domain independent runtime mechanisms ....

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.

....Section 6 draws some conclusions and outlines future work. 2 The STAT Framework The STAT framework is the result of the evolution of the original STAT technique and its application to UNIX systems [5 7] into a general framework for the development of STAT based intrusion detection sensors [8]. The STAT Technique. STAT is a technique for representing high level descriptions of computer attacks. Attack scenarios are abstracted into states, which describe the security status of a system, and transitions, which model the evolution between states. By abstracting from the details of ....

....is evaluated. If this assertion is also satis ed then the transition is red. As a consequence of transition ring the instance may change state or a new in stance may be created. Each scenario instance represents an attack in progress. The details of scenario processing are described elsewhere [8]. This situation is presented in Figure 2 (c) where a scenario plugin has been loaded and there are currently four active instances of the scenario. As a scenario evolves from state to state, it may produce some output. A typical case is the generation of an alert when a scenario completes. ....

Vigna, G., Eckmann, S., Kemmerer, R.: The STAT Tool Suite. In: Proceedings of DISCEX 2000, Hilton Head, South Carolina, IEEE Computer Society Press (2000)

....attacks, and it has been tailored to very different environments, e.g. Sun Microsystems Solaris and Microsoft s Windows NT. An implementation of the runtime support for the STATL language has also been developed and a toolset of intrusion detection systems based on STATL has been implemented [31]. Even though the language was originally developed to support the development of intrusion detection systems based on the State Transition Analysis Technique (STAT) 14] STATL is general and flexible enough to be used as a common language for different misuse detection systems. This paper ....

....are dynamically loaded into the intrusion detection application at runtime, and the intrusion detection system equipped with the scenario plugins can then process the system s event stream, looking for attack signatures. The details of the compilation translation process are given elsewhere [33, 31]. The STATL language has been successfully used in describing both network based and host based attacks. In addition the language has been tailored to very different environments, e.g. Sun Microsystems Solaris and Microsoft s Windows NT. Section 6 describes the core based STAT toolset in more ....

[Article contains additional citation context not shown here]

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.

No context found.

G. Vigna, S. Eckmann, and R. Kemmerer. The stat tool suite. In In Proceedings of DISCEX, 2000.

No context found.

Giovanni Vigna, Steve Eckmann, and Richard A. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.

No context found.

G. Vigna, S. Eckmann, and R. A. Kemmerer. The STAT Tool Suite. In Proceedings of DISCEX 2000.

No context found.

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.

No context found.

G. Vigna, S.T. Eckmann, and R.A. Kemmerer, The STAT Tool Suite, in Proceedings of DISCEX 2000.

No context found.

G. Vigna, S.T. Eckmann, and R.A. Kemmerer, The STAT Tool Suite, in Proceedings of DISCEX 2000.

No context found.

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC