T. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....using the resources, c) going to places out of the allocated boundary, and (d) instantiating tasks they are not supposed to instantiate. Such intrusions can be detected by audit data [HaC92] generated by the operating system or post mortem analysis tool such as Intrusion Detection systems (IDSs) [Lun93, SmW94]. Determining to what degree and what violates a TL depends on each domain s local security policies and practices. For example, leaving behind data on a storage media might have different affect on different domains because of the storage variability each domain owns. A domain that owns a huge ....

....about D j as shown in Table 3. Once the transaction between D i and D j starts, D i evaluates the direct trust relationship with D j (i.e. D i updates its DTT) by examining whether D j abides by its RTL. D i does this evaluation by two mechanisms: a) using an audit trail analysis [Lun93] to determine if D j is an abusive domain by detecting failed commands issued by D j , and (b) monitoring sequences of system calls to detect an abnormal behavior of D j [HoF98] Assume that D i has a classification system to classify the behavior of other domains as shown in Table 4. Furthermore, ....

T. F. Lunt, "Detecting intruders in computer systems, " Conference on auditing and computer technology, 1993.

....an intrusion alarm is produced. 16 19, 2000, Baltimore, MD. Artificial intelligence (AI) techniques have been applied to both misuse detection and anomaly detection. Rule based expert systems have served as the basis for several systems including SRI s Intrusion Detection Expert System (IDES)[2]. These systems encode an expert s knowledge of known patterns of attack and system vulnerabilities as if then rules. The acquisition of these rules is a tedious and error prone process; this problem (known as the knowledge acquisition bottleneck in expert system literature) has generated a great ....

....for two major reasons. First, many quantitative features are involved in intrusion detection. SRI s Nextgeneration Intrusion Detection Expert System (NIDES) categorizes security related statistical measurements into four types: ordinal, categorical, binary categorical, and linear categorical [2]. Both ordinal and linear categorical measurements are quantitative features that can potentially be viewed as fuzzy variables. Two examples of ordinal measurements are the CPU usage time and the connection duration. An example of a linear categorical measurement is the number of different TCP UDP ....

Lunt, T. 1993. Detecting intruders in computer systems. In Proceedings of 1993 conference on auditing and computer technology. (Downloaded from http://www2.csl.sri.com/nides/index5.html on 3 February 1999.)

....length of interactive session or number of messages emitted into a network per unit time, and . representative sequences of actions. Dimensions may be specific to the type of the entity with which behavior is associated. Typical entity types are users, workstations, or remote hosts as in NIDES [Anderson95a,b, Javitz93, Lunt93a] or even applications, as in SRI Safeguard [Anderson93] An intrusion Intrusion Detection 10 02 09 00 detection system develops a unique base profile (typically based on observed behavior) for each individual entity that it recognizes. It assumes that the profile is untainted by intrusive ....

....falls within observed base profile bounds, it will not be recognized as anomalous. An intruder masquerading as a diverse user would be much more difficult to detect because that user s base profile bounds are larger. 3.2. 1 NIDES The Next generation Intrusion Detection Expert System (NIDES) [Anderson95a,b, Javitz93, Lunt93a], developed by SRI, contains a statistical dynamic anomaly detector. NIDES Intrusion Detection 11 02 09 00 builds statistical profiles of users, though the entities monitored can also be workstations, network of workstations, remote hosts, groups of users, or application programs. NIDES uses ....

Lunt, T.F. "Detecting Intruders in Computer Systems."

....and argues that protection of the IDS itself must be dealt with before it can be relied upon to provide the security that is expected. We also outline possible solution techniques and implementation strategies. 2. Dissecting the problem Figure 1 shows a model that is used in many ID schemes [2][7][10] 11] In this model, event information is collected, preprocessed, and then subjected to intrusion analysis. The results of the analysis are made available via a report facility. The components of the system that perform the analysis and reporting execute typically on dedicated hosts whose ....

T. Lunt, "Detecting Intruders in Computer Systems", In the proceeding of Conference on Auditing and Computer Technology. Canada 1993.

....overflow vulnerabilities) to match and identify intrusions. The sequence of attack actions, the conditions that compromise a system s security, as well as the evidence (e.g. damage) left behind by intrusions can be represented by a number of general pattern matching models. For example, NIDES (Lunt, 1993) uses rules to describe attack actions, STAT (Ilgun et al. 1995) uses state transition diagrams to model general states of the system and access control violations, and IDIOT (Kumar and Spafford, 1995) uses Colored Petri nets to represent intrusion signatures as sequences of events on the target ....

....DETECTION SYSTEMS Currently there is no systematic approach for building intrusion detection systems, nor any generally agreed upon evaluation metric for measuring their effectiveness. System builders intuition and experience guide the selection of the statistical measures for anomaly detection (Lunt, 1993). Experts need to analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns for misuse detection. In today s network computing environment, there are multiple penetration points for intrusions to take place. For example, at the ....

Lunt, T.: 1993, `Detecting Intruders in Computer Systems'. In: Proceedings of the 1993 Conference on Auditing and Computer Technology.

....Many papers have surveyed and classified different characteristics of intrusion detection systems, e.g. HB95] and [DDW99] One of the largest and probably most successful research efforts on anomaly detection is the NIDES project at the SRI. Lunt describes the main concepts and ideas in [Lun93] NIDES consists of a statistical anomaly detection component described in detail in [JV94] and an expert system 1 for misuse detection. Another large anomaly detection project was Wisdom and Sense [VL89] at Los Alamos National Laboratory. The main advantages of anomaly detection are that it ....

Teresa F. Lunt. Detecting intruders in computer systems. In Conference on Auditing and Computer Technology, 1993. Available for download at: http://www.sdl.sri.com/nides/index5.html.

....detects and prevents some forms of buffer overflow attacks is also introduced. This second prototype library was able to successfully detect and prevent several buffer overflow attacks against privileged programs. 1 Motivation Researchers in Intrusion detection have stated (Kumar [1] Lunt [2], Price [3] that there is a desire or need by software developers in the intrusion detection community for an increase in the amount of application level audit data available for their use. Frequently, applications report audit information only when their programmers insert specific instructions ....

Teresa F. Lunt. Detecting intruders in computer systems. In Proceedings of the Sixth Annual Symposium and Technical Displays on Physical and Electronic Security, 1990.

....Therefore it is imperative that IDSs be adapted to new attack methods frequently and in a timely manner. Currently, building an e#ective IDS is an enormous knowledge engineering task. System builders rely on their intuition and experience to select the statistical measures for anomaly detection [ Lunt, 1993 ] Experts first analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns for misuse detection. Because of the manual and ad hoc nature of the development process, current IDSs have limited extensibility and adaptability. 1.1 Problem ....

....other resources of interest in a system, and observing the actual activities as reported in the audit data to ultimately detect any significant deviations from these profiles. Most anomaly detection approaches are statistical in nature. For example, in SRI s IDES [ Lunt et al. 1992 ] and NIDES [ Lunt, 1993 ] a user s normal profile consists of a set of statistical measures. The measures used in NIDES are of the following types [ Lunt, 1993 ] Ordinal measure: A count of some numerically quantifiable aspect of observed behavior. For example, the amount of CPU time used and the number of audit ....

[Article contains additional citation context not shown here]

T. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

....studying the characteristic of the data and then selecting a model that best utilizes the characteristic. However, due to the lack of theoretical understandings and useful tools for characterizing audit data, most anomaly detection models are built based solely on expert knowledge or intuition [19], which is often imprecise and incomplete given the complexities of today s network environments. As a result, the effectiveness of the models is limited. More seriously, a lot of research in anomaly detection (and intrusion detection in general) has been focusing on a specific (and ad hoc) method ....

T. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

....are continuously being discovered. Therefore it is imperative that IDSs be updated frequently and timely. Currently building an effective IDS is an enormous knowledge engineering task. System builders rely on their intuition and experience to select the statistical measures for anomaly detection [13]. Experts first analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns for misuse detection. Because of the manual and ad hoc nature of the development process, current IDSs have limited extensibility and adaptability. Many IDSs only ....

T. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

....Therefore IDSs need to be adaptive in such a way that frequent and timely updates are possible. Currently building an effective IDS is an enormous knowledge engineering task. System builders rely on their intuition and experience to select the statistical measures for anomaly detection [Lunt 1993]. Experts first analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns for misuse detection. Because of the manual and ad hoc nature of the development process, current IDSs have limited extensibility and adaptability. Many IDSs only ....

Lunt, T. 1993. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology (1993).

..... External users not authorized to use the systems . Internal users not authorized to use some resources a) Masquerades impersonate other user b) Clandestine evade auditing . Misfeasors who misuse their privileges Teresa Lunt described extensively techniques against masquerades [2]. Clandestine intruders are a potential threat for weak security operating systems (OSes) and badly managed systems. The threat of clandestine intruders should be treated by the OS with better control of audit processes and more secure OS implementations. External intruders are the focus for ....

....are originated or how they are authenticated. This maximizes the coverage of system. Types of Intrusion Detection Intrusion detection consists of several techniques to trace unauthorized use of resources. These techniques are based on the study of audit trails and network traffic; Teresa Lunt [2] characterized the study of intrusion detection in three types: Real time testing of audit data . In depth off line (after the fact) analysis of audit data . Subsequent analysis of the audit data for damage assessment This paper focuses on the real time testing of audit data. The intent is ....

T.F. Lunt, Detecting Intruders in Computer Systems. In Proceedings of the 19 th National Information Systems Security Conference, October 1988.

....data on the dynamic state of the system. Selecting a set of dynamic behavioral characteristics to monitor is a key design decision for an IDS, one which will influence the types of analyzes that can be performed and the amount of data that will be collected. Most systems (for example, IDES NIDES [30, 31, 4], Wisdom Sense [29] and TIM [35] collect profiles of user behavior, generated by audit logs. Other systems look at network traffic, for example, NSM and the system presented in [19] Other approaches attempt to characterize the behavior of privileged processes, as in the program specification ....

T. F. Lunt. Detecting intruders in computer systems. In Conference on Auditing and Computer Technology, 1993.

....and implementation is always subject to error. It is generally agreed that implementing and maintaining secure computer systems is difficult, in that we have no way of ensuring that a certain level of security has been achieved [Frank, 1994, Crosbie Spafford, 1994, Kumar Spafford, 1994, Lunt, 1993, Anderson, et al. 1995, Blakely, 1997] Security holes are exploited by intruders breaking into systems, or by viruses or worms. Such holes are often the result of faults or design flaws in system or application software, or in the specification or implementation of security policies. Even if it ....

Lunt, T. F. (1993). Detecting intruders in computer systems. In Conference on Auditing and Computer Technology.

....overflow vulnerabilities) to match and identify intrusions. The sequence of attack actions, the conditions that compromise a system s security, as well as the evidence (e.g. damage) left behind by intrusions can be represented by a number of general pattern matching models, for example, NIDES [Lun93] uses rules, STAT [IKP95] uses state transition diagrams [IKP95] and [KS95] uses Colored Petri nets. The key advantage of misuse detection systems is that once the patterns of known intrusions are stored, future instances of these intrusions can be detected effectively and efficiently. However, ....

....attacks will likely go undetected. 2.3 Difficulties in Building Intrusion Detection Systems Currently there is no systematic approach for building intrusion detection systems. A system builders intuition and experience guides the selection of the statistical measures for anomaly detection [Lun93] Experts need to analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns for misuse detection. In today s network computing environment, there are multiple penetration points for intrusions to take place. For example, at the ....

Teresa F. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

....are continuously being discovered. Therefore it is imperative that IDSs be updated frequently and timely. Currently building an effective IDS is an enormous knowledge engineering task. System builders rely on their intuition and experience to select the statistical measures for anomaly detection [14]. Experts first analyze and categorize attack scenarios and system vulnerabilities, and hand code the corresponding rules and patterns for misuse detection. Because of the manual and ad hoc nature of the development process, current IDSs have limited extensibility and adaptability. Many IDSs only ....

Teresa F. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

....being discovered. Therefore, it is imperative that IDSs be updated frequently and rapidly. Currently building an effective IDS is an enormous knowledge engineering task. System builders largely rely on their intuition and experience to select the statistical measures for anomaly detection [8]. Many IDSs only handle one particular audit data source, and updating these systems is expensive and slow . Some of the recent research and commercial IDSs have begun to provide built in mechanisms for customization and extension. The Network Flight Recorder (NFR) is one such extensible system ....

Teresa F. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

....data on the dynamic state of the system. Selecting a set of dynamic behavioral characteristics to monitor is a key design decision for an IDS, one which will influence the types of analyses that can be performed and the amount of data that will be collected. Most systems (for example, IDES NIDES [34], 35] 5] Wisdom Sense [33] and TIM [39] collect profiles of user behavior, generated by audit logs. Other systems look at network traffic, for example, NSM and the system presented in [23] Other approaches attempt to characterize the behavior of privileged processes, as in the program ....

Lunt T F. Detecting Intruders in Computer Systems. In Conference on Auditing and Computer Technology, 1993.

No context found.

T. Lunt. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

No context found.

Lunt, T. F. Detecting Intruders in Computer Systems. In Proceedings of the Sixth Annual Symposium and Technical Displays on Physical and Electronic Security (1990).

No context found.

Teresa F. Lunt. Detecting Intruders in Computer Systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

No context found.

Teresa F. Lunt. "Detecting intruders in computer systems". 1993 Conference on Auditing and Computer Technology, 1993. http://www.raptor.com/lib/canada93.ps

No context found.

T. Lunt. "Detecting Intruders in Computer Systems". In the conference record of the 1993 Conference on Auditing and Computer Technology. 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC