Garvey, T.D. and Lunt, T.F. Model based intrusion detection, In Proceedings of the 14th National Computer Security Conference, pp. 372-385, October 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of their purpose, manufacturer or origin. It is both technically hard and economically costly to ensure that systems are not susceptible to attacks. Two approaches have been proposed to address the problem: anomaly de tection (see for example [1, 2] and misuse detection (see for example [3]) The former suggests that user s activity in the system can be characterized so that a profile of normal utilization of the system is established and excursions from this profile are flagged as potential intrusions, or attacks in a more general sense. The latter assumes that attacks are ....

T.D. Garvey and T.F. Lunt. Model-based intrusion detection. In Proceedings of the ldth National Computer Security Conference, October 1991.

....Control Charts to detect intrusions. The statistical anomaly detection approach, as used in both the above techniques, has faced severe criticism from the security community due mostly to its inherent higher false alarm generation rate than the rule or signature based detection approaches like [15, 33, 12]. 20] explores the problems faced by the statistical anomaly detection approach in general. However, the anomaly detection approach is preferred for detection of new or uninvestigated attacks with undefined attack signatures as is the case with the attacks on QoS networks. In view of this, we ....

T. D. Garvey and T. F. Lunt. Model based Intrusion Detection. In Proceedings of the 14th National Computer Security Conference, pages 372--385, 1991.

....intrusions, or attacks in a more general sense. This approach leads to some diculties: a ow of alarms is generated in the case of a noticeable systems environment modi cation and a user can slowly change his behavior in order to cheat the system. We are more interested in misuse detection [10], which assumes that attacks are well known sequences of actions, called scenarios or attack signatures, and that the activity of the system (in the form of logs, network trac, etc. may be audited in order to determine the presence of such scenarios in the system. Misuse detection becomes an ....

T. Garvey and T. Lunt. Model-based intrusion detection. In Proc. 14th National Computer Security Conference, October 1991.

....of their purpose, manufacturer or origin. It is both technically hard and economically costly to ensure that systems are not susceptible to attacks. Two approaches have been proposed to address the problem: anomaly detection (see for example [1, 2] and misuse detection (see for example [3]) The former suggests that user s activity in the system can be characterized so that a profile of normal utilization of the system is established and excursions from this profile are flagged as potential intrusions, or attacks in a more general sense. The latter assumes that attacks are ....

T.D. Garvey and T.F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, October 1991.

....shifts the burden of determining what audit records are part of a suspect sequence to the expert system. Model based techniques differ from current rulebased techniques, which simply attempt to pattern match audit records to expert rules. The Model based technique proposed by Garvey and Lunt [8] supports the abstraction of penetrations via an evidentiary reasoning tool, called Gister. 3 The goal of the tool is to evaluate pieces of evidence against a hypothesis in an effort to build some confidence measure as to the ve racity of the hypothesis. As evidence is discerned through the audit ....

....state to the compromised state. A major difference between STAT and the other tools is that STAT rule chains are constructed fi om state transition diagrams. In this sense, the state transition analysis approach is similar to the Model based Intrusion Detection approach proposed by Garvey and Lunt [8] (see section II D) Both techniques provide a higher level representation of user behavior (i.e. above the audit record level) providing easier readability and rule generation. Current penetration identification tools are also limited in their ability to identify even semi sophisticated ....

T.D. Garvey and T.F. Lunt, "Model-based Intrusion Detection," Proceedings of the Idth National Computer Security Conference, Baltimore, MD, pp. 372-385, October 1991.

....by a lack of support for developing the intrusion scenarios. It is difficult to determine the relations between rules. The sheer magnitude of the rule sets make it difficult to isolate a subset in order to make a change. To overcome this difficulty, the concept of model based intrusion detection [Garvey91] was developed in conjunction with the IDES project at Stanford Research Institute. Each intrusion scenario was separately modeled so that the number of rules that need to be considered in making a change is a more manageable size. A performance issue is involved here as well. Since the ....

Garvey, T.D. and T.F. Lunt. "Model-Based Intrusion Detection." Proceedings of the 14 th National Computer Security Conference, October 1991.

....and attack scenarios or suspicious events. The system can therefore be penetrated by attackers employing new techniques. 4.1. 4 Model Based Reasoning Approach The model based reasoning approach is based on the definition, by the security officers, of models of proscribed intrusion activities [GL91]. Proscribed activities are expressed by means of sequences of user behaviors (single events or observable measures) called scenarios. Each component of a scenario is therefore a high level observation on the system and does not necessarily correspond to an audit record (which contains ....

T.D. Garvey and T. Lunt. Model-based intrusion detection. In Proc. 14th Nat. Computer Security Conference, pages 372--385, Washington, DC, October 1991.

....can be considered better than the others. Rather, they complement each other since each of them can be applied to determine specific kinds of violations. Other approaches to intrusion detection and audit controls are possible. For instance, neural network [14, 23] state based [27] or model based [24] approaches have been proposed as a way to describe violations in terms of events or observables in the system. Other approaches have proposed the use of specific techniques as a protection against s specific attacks. For instance, the keystroke latency property of a user, which we mentioned ....

T.D. Garvey and T. Lunt. Model-based intrusion detection. In Proc. 14th Nat. Computer Security Conference, pages 372--385, Washington, DC, October 1991.

....for an overview) Often statistical methods are used to measure how anomalous the behavior is, that is, how different e.g. the commands used are from normal behavior. Such approaches require that the distribution of subjects behavior is known. The behavior can be represented as a rule based model (Garvey and Lunt 1991), in terms of predictive pattern generation (Teng et al. 1990) or using state transition analysis (Porras 2 et al. 1995) Pattern matching techniques are then used to determine whether the sequence of events is part of normal behavior, constitutes an anomaly, or fits the description of a known ....

Garvey, T. D., and Lunt, T. F. (1991). Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference.

....is currently an active research area. The rising complexity of today To appear in the ISOC 95 Symposium on Network and Distributed System Security. networks leads to more elaborate patterns of attacks. Previous works for stand alone computer security have established basic concepts and models [3, 4, 5, 7, 8] and described a few operational systems [1, 6, 9, 12, 18] However, distributed analysis of audit trails for network security is needed because of the two following facts. First, the correlation of user actions taking place at different hosts could reveal a malicious behavior while the same ....

Th. D. Garvey, T.F. Lunt, Model-Based Intrusion Detection. Proceedings of the 14th National Security Conference, Washington DC., October 1991.

....suspicious access actions need not be synchronized. 7 Related Work A substantial body of work has been done on intrusion detection [Lun93, MHL94, LM98] based on either detecting deviations from expected statistical pro les [JV94] or pattern matching against known methods of attack [Ilg93, GL91, PK92, IKP95, SG91, SG97, LWJ98] In [JV94] the idea of setting multiple alert levels is proposed, where each alert level corresponds to a speci c degree of anomaly and di erent actions are taken at each alert level. However, the issues of what actions should be taken at each level and how to ....

T. D. Garvey and T. F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, Baltimore, MD, October 1991.

....calls for an up to date and thorough survey. This survey is indeed intended to be thorough, with the surveyed systems described in some detail and classi ed according to a number of interesting features. There are several ideas in the literature about how to perform intrusion detection, such as [5, 16, 27, 44] to name a few. These have not been covered since the emphasis here is on intrusion detection systems. We wish to survey substantial research e orts that have generated a prototype that can be studied, both quantitatively, and qualitatively. No slight towards the systems not covered, or its ....

Thomas D. Garvey and Teresa F. Lunt. Model-based intrusion detection. In Proceedings of the 14:th National Computer Security Conference, pages 372|385, Baltimore, MD, USA, October 1991. NIST, National Institute of Standards and Technology/National Computer Security Center.

....In our own system, antecedent evaluation is absolute, and less capable in environments where uncertainty, incompleteness, or inaccuracies exist within the event stream content. Other reasoning systems can provide some options for handling belief and uncertainty within the analysis framework [8]. In the presence of incomplete data, backward reasoning systems can operate in a diagnosis mode to seek out collaborative evidence of problems, and furthermore provide quantitative probabilities based on evidence to date that a certain problem is the culprit responsible for the presence of ....

T. D. Garvey and T. F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, pages 372--385, Washington, D.C., Oct. 1--4, 1991. National Institute of Standards and Technology /National Computer Security Center.

....representation of the key actions that must occur in order for an attacker to move the system from the initial prerequisite state to the compromised state. In this sense, the state transition analysis approach is similar to the Model based Intrusion Detection approach proposed by Garvey and Lunt [GL 91] Both techniques provide a higher level representation of user behavior (i.e. above the audit record level) providing easier readability and rule generation. Another advantage of NSTAT is its portability. NSTAT s modular architecture was designed to allow it to be easily ported to different ....

T.D. Garvey and T.F. Lunt, "Model-based Intrusion Detection," Proceedings of the 14th National Computer Security Conference, Baltimore, MD, October 1991.

....detection techniques can be partitioned into two main approaches: misuse detection and anomaly detection. Misuse detection methods attempt to model attacks on a system as specific patterns, then systematically scan the system for occurrences of these patterns [Kumar and Spafford, 1996, Lunt, 1993, Garvey and Lunt, 1991, Porras and Kemmerer, 1992, Ilgun, 1992, Monrose and Rubin, 1997] This process involves a specific encoding of previous behaviors and actions that were deemed intrusive or malicious. Anomaly detection assumes that intrusions are highly correlated to abnormal behavior exhibited by either a user ....

Garvey, T. and Lunt, T. (1991). Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference.

....Agency (DARPA) Contract DAAH01 98 CR145. the views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the defense advanced research projects agency or the u.s. government. [4, 5, 6, 9, 12, 13]. This process involves a specific encoding of previous behaviors and actions that were deemed intrusive or malicious. Anomaly detection assumes that intrusions are highly correlated to abnormal behavior exhibited by either a user or network traffic. The main advantage of anomaly detection over ....

T.D. Garvey and T.F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, October 1991.

No context found.

Garvey, T.D. and Lunt, T.F. Model based intrusion detection, In Proceedings of the 14th National Computer Security Conference, pp. 372-385, October 1991.

No context found.

T. D. Garvey and T. F. Lunt. Model based intrusion detection. In Proceedings of the 14th National Computer Security Conference, pages 372-385, October 1991.

No context found.

T. D. Garvey and T. F. Lunt, "Model based intrusion detection". In Proceedings of the 14th National Computer Security Conference, pages 372-385, October 1991.

No context found.

T.D. Garvey and T.F. Lunt, Model based intrusion detection, Proceedings of the 14th National computer security conference, October 1991.

No context found.

Thomas D. Garvey and Teresa F. Lunt. Model-based Intrusion Detection. In Proceedings of the 14th National Computer Security Conference, Washington, DC, October 1991.

No context found.

T. Garvey and T. Lunt. Model-based intrusion detection. In 14th National Computer Security Conference, 1991. 12

No context found.

T. Garvey and T. Lunt. Model-based intrusion detection. In 14th National Computer Security Conference (NCSC), Baltimore, Maryland, June 1991.

No context found.

T. Garvey and T. Lunt. Model-based intrusion detection. In 14th National Computer Security Conference (NCSC), Baltimore, Maryland, June 1991.

No context found.

Garvey, T. and Lunt, T. (1991). Model-based Intrusion Detection. In Proceedings of the 14th National Computer Security Conference.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC