Phillip A. Porras and Richard A. Kemmerer. Penetration State Transition Analysis --- A Rule-Based Intrusion Detection Approach. In Proceedings of the Eighth Annual Computer Security Applications Conference, Tucson, AZ, December 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....are ignored for the purposes of a specific intrusion scenario. If a compromised (final) state is ever reached, an intrusion is said to have occurred. 4.2. 1 USTAT USTAT (UNIX State Transition Analysis Tool) provides an excellent illustration of the implementation of the state based approach [Porras92]. USTAT is tailored to the UNIX Figure 3. Generic State Transition Diagram Action Compromised State Transition State Action(s) Initial State Action Transition State Intrusion Detection 17 02 09 00 environment [Ilgun93] Each known penetration, or intrusion scenario, is represented in the ....

Porras, P.A. and R.A. Kemmerer. "Penetration State Transition Analysis: A RuleBased Intrusion Detection Approach." Proceedings of the Eighth Annual Computer Security Applications Conference, December 1992.

....detection can be broadly divided into anomaly detection and misuse detection. Anomaly detection based approaches first create a profile that describes normal behaviors and then detect deviations from this profile [Fox90, Lunt88, Lunt92, Anderson95] In contrast, misuse detection based approaches [Porras92, Ilgun93, Kumar94] define and look for precise sequences of events that damage the system. Anomaly detection approaches possess the advantage that learning to identify normal behavior can be automated, but they are prone to false positives, especially when permissible but previously unlearned behavior occurs. ....

P. Porras and R. Kemmerer, Penetration State Transition Analysis - A Rule Based Intrusion Detection Approach, Computer Security Applications Conference, 1992.

....with the total REE size. 8 Related Work 8.1 Host Based Detection Host based techniques are aimed at protecting individual hosts and operate on the basis of information contained in audit logs or other similar sources of data. These techniques can be broadly divided into misuse detection [33, 20], anomaly detection [1, 8, 13] and specification based detection [19, 38] Among misuse based approaches, a state transition diagram based approach is used in [33] to capture signatures of intrusions. 20] uses colored petri nets to specify intrusive activity. This language is more expressive ....

....contained in audit logs or other similar sources of data. These techniques can be broadly divided into misuse detection [33, 20] anomaly detection [1, 8, 13] and specification based detection [19, 38] Among misuse based approaches, a state transition diagram based approach is used in [33] to capture signatures of intrusions. 20] uses colored petri nets to specify intrusive activity. This language is more expressive than ours in some ways (e.g. ability to capture occurrence of two concurrent sequences of actions) and less expressive in some other ways (e.g. ability to capture ....

P. Porras and R. Kemmerer, Penetration State Transition Analysis:A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.

....constant time per system call for most patterns. Our current implementation introduces about 1 to 2 overhead due to the patternmatching operations. The applicability of the techniques developed in this paper extends well beyond our system. For instance, many intrusion detection techniques (e.g. [Kumar95, PK92, Ko96]) are formulated using signature patterns that characterize attacks. In contrast with our approach, the performance of matching algorithms developed in these approaches worsens linearly with the number of patterns. By using the techniques developed in this paper, the performance of these ....

....and automaton size can vary greatly from one set of patterns to another. 7 Related Work 7.1 Intrusion Detection Techniques for prevention of intrusions draw on previous research on (post attack) intrusion detection. Intrusion detection techniques can be broadly divided into misuse detection [PK92, Kumar95], anomaly detection [ALJTV95, FHS97, GSS99] and specification based detection [Ko96, SBS99] Among misuse based approaches, a state transition diagram based approach is used in [PK92] to capture signatures of intrusions. Kumar95] uses colored petri nets to specify intrusive activity. This ....

[Article contains additional citation context not shown here]

P. Porras and R. Kemmerer, Penetration State Transition Analysis:A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.

....each system call execution typically involves several hundreds of instructions, thus the overhead of matching using the automaton is small. 1.2. Related Work Intrusion detection techniques can be classified into two classes: misuse detection and anomaly detection. Misuse detection techniques [29, 23, 17] model known attacks using patterns (also known as signatures) and detect them via pattern matching. Their benefit is a high degree of accuracy, and their main drawback is the inability to identify novel attacks. Anomaly detection techniques [1, 5, 20, 24, 4, 8] address this problem by flagging ....

P. Porras and R. Kemmerer, Penetration State Transition Analysis: A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.

....over the past several years to protect against malicious attacks. A majority of these techniques take the passive approach of of ine monitoring of system (or user) activities to identify those activities that deviate from the norm [1, 26, 10, 12, 17, 21] or are otherwise indicative of attacks [14, 18, 22]. More recently, several proactive approaches have emerged. These approaches can prevent or isolate attacks before any damage is caused [9, 13, 20, 28] Most approaches aimed at preventing intrusions [9, 13, 20, 28] are based on the following observation about attacks: regardless of the nature of ....

P. Porras and R. Kemmerer, Penetration State Transition Analysis: A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.

....over the past several years to protect against malicious attacks. A majority of these techniques take the passive approach of offline monitoring of system (or user) activities to identify those activities that deviate from the norm [1, 26, 10, 12, 17, 21] or are otherwise indicative of attacks [14, 18, 22]. More recently, several proactive approaches have emerged. These approaches can prevent or isolate attacks before any damage is caused [9, 13, 20, 28] Most approaches aimed at preventing intrusions [9, 13, 20, 28] are based on the following observation about attacks: regardless of the nature of ....

P. Porras and R. Kemmerer, Penetration State Transition Analysis: A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.

....among all of the intrusions. R i is formalized as follows: R i = AsPs AsPs (1 As )Pg In Example 1, if we keep P i at 0.90, R i is 96.5 . 2. 2 FOR SIGNATURE BASED DETECTION We specify a signature as a sequence of events leading from an initial limited access state to a final compromised state [Porras and Kemmerer, 1992, Ilgun, 1993, Ilgun et al. 1995, Shieh and Gligor, 1991, Shieh and Gligor, 1997, Lin et al. 1998] Each event causes a state transition from one state to another state. We identify a signature with length n, denoted Sig(n) as Sig(n) s 0 E 1 s 1 : E n s n , where E i is an event and s i is a ....

Porras, P. and Kemmerer, R. (1992). Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas.

....R i is formalized as follows: R i = AsPs AsPs (1 As )Pg In Example 1, if we keep P i at 0.90, then R i is 96.5 . 2. 2 Intrusion Con nement for Signature Based Detection We de ne a signature as a sequence of events leading from an initial limited access state to a nal compromised state [PK92, Ilg93, IKP95, SG91, SG97, LWJ98] Each event causes a transition 6 from one state to another. We identify a signature with length n, denoted Sig(n) as Sig(n) s 0 E 1 s 1 : E n s n , where E i is an event and s i is a state, and E i causes the state transition from s i 1 to s i . For ....

....suspicious access actions need not be synchronized. 7 Related Work A substantial body of work has been done on intrusion detection [Lun93, MHL94, LM98] based on either detecting deviations from expected statistical pro les [JV94] or pattern matching against known methods of attack [Ilg93, GL91, PK92, IKP95, SG91, SG97, LWJ98] In [JV94] the idea of setting multiple alert levels is proposed, where each alert level corresponds to a speci c degree of anomaly and di erent actions are taken at each alert level. However, the issues of what actions should be taken at each level and how to enforce ....

P. A. Porras and R. A. Kemmerer. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, December 1992.

.... Multics Intrusion Detection and Alerting System (MIDAS) 25] and Los Alamos Network Anomaly Detection and Intrusion Reporter (NADIR) 11] Many researchers seek new general methods for intrusion detection, and their contributions are based on a wide range of techniques: state transition analysis [12, 13, 22], AI expert systems [3, 11, 17, 26] statistical profiling [14] immune system models [7, 8] data mining techniques [19] and various mixtures of neural networks, genetic algorithms and fuzzy logic [10, 24] Many of these approaches have not been robust, or at least it has been difficult to test ....

PA Porras, RA Kemmerer, "Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach," in Proceedings of the Eighth Annual Computer Security Application Conference, San Atonio, Texas, December 1992, pp 220--229

....Several approaches to misuse detection have been tried in the past. They include language based approaches to represent and detect intrusions [HCMM92] developing an API 1 for the same [Sma95] expert systems [SSHW88, Sma88, BK88] and high level state machines to encode and match signatures [Ilg92, PK92]. We proposed using a pattern matching approach to the representation and detection of intrusion signatures [KS94c] This approach resulted from a study of a large number of common intrusions with the aim of representing them as signatures [KS94a] The signatures were then classified into ....

....Sequencing and partial order constraints on events can be represented in a direct declarative manner. Systems that use expert system rules to encode misuse activity only do so indirectly because it is hard or inefficient to specify temporal relationships between facts in rule antecedents. [Ilg92, PK92] permit the specification of state transition diagrams to represent misuse activity but their transition events are high level actions that do not directly correspond to system generated events. ASAX [HCMM92] is the closest to our approach but ASAX is less declarative. In specifying patterns in ....

Phillip A. Porras and Richard A. Kemmerer. Penetration State Transition Analysis -- A Rule-Based Intrusion Detection Approach. In Eighth Annual Computer Security Applications Conference, pages 220--229. IEEE Computer Society press, IEEE Computer Society press, November 30 -- December 4 1992.

....be partitioned into two main approaches: misuse detection and anomaly detection. Misuse detection methods attempt to model attacks on a system as specific patterns, then systematically scan the system for occurrences of these patterns [Kumar and Spafford, 1996, Lunt, 1993, Garvey and Lunt, 1991, Porras and Kemmerer, 1992, Ilgun, 1992, Monrose and Rubin, 1997] This process involves a specific encoding of previous behaviors and actions that were deemed intrusive or malicious. Anomaly detection assumes that intrusions are highly correlated to abnormal behavior exhibited by either a user or an application. The basic ....

Porras, P. and Kemmerer, R. (1992). Penetration state transition analysis - a rule-based intrusion detection approach. In Eighth Annual Computer Security Applications Conference, pages 220--229. IEEE Computer Society Press.

.... Anomaly detection approaches attempt to detect intrusions by noting significant departures from normal behavior [7, 5, 20, 18, 15, 17, 16] Misuse detection techniques attempt to model attacks on a system as specific patterns, then systematically scan the system for occurrences of these patterns [22, 14, 10, 9, 19]. This process involves a specific encoding of previous behaviors and actions that were deemed intrusive or malicious. It is important to establish the key differences between anomaly detection and misuse detection approaches. The most significant advantage of misuse detection approaches is that ....

P.A. Porras and R.A. Kemmerer. Penetration state transition analysis - a rule-based intrusion detection approach. In Eighth Annual Computer Security Applications Conference, pages 220--229. IEEE Computer Society Press, November 1992.

....the expert system is only as good as that of the security officer whose skills are modeled, which may not be comprehensive [18] The system is not easy to use and unlike our design, the matching algorithm (forward chaining) is fixed. A state transition analysis tool for intrusion detection (STAT) [21, 22] and a real time intrusion detection system for UNIX (USTAT) 8, 6, 7] are the examples of using state transition diagrams as a way of describing intrusion scenarios. Attack patterns can only specify a sequence of events; more complex ways of specifying events are not permitted. Furthermore, there ....

P. A. Porras and R. A. Kemmerer. Penetration State Transition Analysis -- A Rule-based Intrusion Detection Approach. In Eighth Annual Computer Security Applications Conference, pages 220--229. IEEE Computer Society press, IEEE Computer Society press, Nov. 30 -- Dec. 4 1992.

No context found.

P. A. Porras and R. A. Kemmerer. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the Eighth Annual Computer Security Applications Conference, pages 220--229, San Antonio, Texas, Nov. 30--Dec. 4, 1992.

....of California, Santa Barbara, CA 93106 USA; emaih kemm cs.ucsb.edu. P.A. Porras is with The Aerospace Corporation, P.O. Box 92957, Mail Stop: M1 055, Los Angeles, CA 90009 2957, USA; emaih porras aero.org This paper is an extended version of two previous conference papers by the same authors [15,28]. due to the enormous quantity of data collected. In order to provide enough information to establish accountability and enable damage assessment, the audit collection mechanisms must record the occurrences of all security relevant events. 1 Because of the large volume of data generated, manual ....

P.A. Porras and R.A. Kemmerer, "Penetration State Transition Analysis A Rule-Based Intrusion Detection Approach," Proceedings of the Eighth Annual Computer Security Applications Conference, San Antonio, Texas, pp. 220-229, December 1992.

....sequence is indicative of an attack may be a function of the preconditions under which the event sequence is performed. To enable this finer granularity of signature recognition, previous efforts have employed various degrees of state detec tion and management logic (one such example is found in [18]) However, as discussed in Section II, the incor poration of sophisticated rule and state management features must be balanced with the need to ensure an acceptable level of performance. In many respects, EMERALD s signature analysis strategy departs from previous centralized rule based ....

....users. EMERALD also extends the statistical profile model of NIDES, to analyze the operation of network services, network infrastructure, and activity reports from other EMERALD monitors. Various other efforts have consid ered one of the two types of analysis signature based (e.g. Porras [18] has used a state transition approach; the U.C. Davis and Trident DIDS [4] addresses ab stracted analysis for networking, but not sealability; the Network Security Monitor [7] seeks to analyze packet data rather than conventional audit trails; Purdue [ seeks to use adaptive agent technology) or ....

P.A. Porras and R.A. Kernmeter. Penetration state transi- tion analysis: A rule-based intrusion detection approach. In Proceedings of the Eighth Annual Computer Security Appli- cations Conference (San Antonio, TX, Nov. 30-Dec.d), pages 220 229. IEEE, 1992.

....of procedural and rule based programming constructs to reason about activity in Unix audit trails. 13 The University of California at Santa Barbara proposed the use of state transition diagrams to model the sequence of operations and state changes that occur during the execution of a penetration [15]. This technique was prototyped for SunOS 4.1.3 and Solaris audit trails in a tool called the Unix State Transition Analysis Tool (USTAT) 10] While it did not represent its knowledge base using production rules, USTAT was architected as a classic expert system, with an inference engine, ....

P. A. Porras and R. A. Kemmerer. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the Eighth Annual Computer Security Applications Conference, pages 220--229, San Antonio, Texas, Nov. 30--Dec. 4, 1992. IEEE Computer Society Press.

No context found.

Phillip A. Porras and Richard A. Kemmerer. Penetration State Transition Analysis --- A Rule-Based Intrusion Detection Approach. In Proceedings of the Eighth Annual Computer Security Applications Conference, Tucson, AZ, December 1992.

No context found.

Porras P.A., Kemmerer R.A., Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach, In Eighth Annual Computer Security Applications Conference (1992), pp. 220--229.

No context found.

P. Porras and R. Kemmerer, Penetration State Transition Analysis:A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.

No context found.

PA Porras, RA Kemmerer, "Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach," in Proceedings of the Eighth Annual Computer Security Application Conference, San Atonio, Texas, December 1992, pp 220--229

No context found.

P. A. Porras and R. A. Kemmerer, "Penetration State Transition Analysis - A Rule-Based Intrusion Detection Approach", Eight Annual Computer Security Applications Conference, IEEE Computer Society Press, November 30-December4 1992, pp.220-229.

No context found.

P. Porras and R. Kemmerer, Penetration State Transition Analysis - A Rule Based Intrusion Detection Approach, Computer Security Applications Conference, 1992.

No context found.

P Porras and R Kemmerer. Penetration state transition analysis:a rule based intrusion detection approach. In Eighth Annual Computer Security Applications Conference, 1996.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC