Koral Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....because they have solved analog problems in domains as computational biology and information retrieval. In intrusion detection, pattern matching algorithms have been proposed as search engines in two different intrusion detection models. One is based in the concept of state transition analysis [10, 13] and the the other uses the computer immunology approach proposed in [9] We give an example to illustrate how the pattern matching algorithms presented below can be used to solve an intrusion detection problem. Auditable events in the target system (such as TCP IP packages in a network or ....

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. Master's thesis, Computer Science Dept., University of California, Santa Barbara, July 1992.

....data structures that would be hard although probably not impossible to code in Russel. Our high level language is, as announced, a temporal language, which seems to make it quite different from the state transition diagrams of STAT (State Transition Analysis [17] and its variants USTAT [9], NetSTAT [25] and STATL [6] and also from the the colored Petri approach advocated in [10] and used in IDIOT [4] However, the particular brand of temporal logic that we shall use in Section 4, and whose modal operators were inspired by Wolper s extended linear time operators [26] are in fact ....

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In IEEE Symposium on Research on Security and Privacy, 1993.

....illustration of the implementation of the state based approach [Porras92] USTAT is tailored to the UNIX Figure 3. Generic State Transition Diagram Action Compromised State Transition State Action(s) Initial State Action Transition State Intrusion Detection 17 02 09 00 environment [Ilgun93]. Each known penetration, or intrusion scenario, is represented in the form of a state transition diagram. Some action, for example UNIX system routines that change system state, are the transitions from one state to the next. USTAT processes audit records from the particular UNIX system on which ....

Ilgun, K. "USTAT: A Real-Time Intrusion Detection System for UNIX." Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1993.

....because they have solved analog problems in domains as computational biology and information retrieval. In intrusion detection, pattern matching algorithms have been proposed as search engines in two different intrusion detection models. One is based in the concept of state transition analysis [11, 14] and the the other uses the computer immunology approach proposed in [9] We give an example to illustrate how the pattern Work supported by CONACyT grant # 122688. y Work developed in part while the author was at postdoctoral stay at Institut Gaspard Monge, Univ. de Marne la Vall ee, France. ....

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. Master's thesis, Computer Science Dept., University of California, Santa Barbara, July 1992.

....detection. The first implementation of the host based tool, which is called USTAT, used as input the audit records produced by Sun Microsystems Basic Security Module (BSM) 32] USTAT clearly demonstrated the value of the STAT approach for intrusion detection in the UNIX operating system [13, 14, 26]. However, because the original USTAT prototype was developed in an ad hoc way, a number of characteristics of this first prototype were difficult to modify or to extend to match new environments (e.g. Windows NT) The state transition analysis technique was also applied to networks. The ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.

....detection. The first implementation of the host based tool, which is called USTAT, used as input the audit records produced by Sun Microsystems Basic Security Module (BSM) 32] USTAT clearly demonstrated the value of the STAT approach for intrusion detection in the UNIX operating system [13, 14, 26]. However, because the original USTAT prototype was developed in an ad hoc way, a number of characteristics of this first prototype were difficult to modify or to extend to match new environments (e.g. Windows NT) The state transition analysis technique was also applied to networks. The ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

....con guration. Section 5 describes how dependencies are used during the recon guration process. Section 6 draws some conclusions and outlines future work. 2 The STAT Framework The STAT framework is the result of the evolution of the original STAT technique and its application to UNIX systems [5 7] into a general framework for the development of STAT based intrusion detection sensors [8] The STAT Technique. STAT is a technique for representing high level descriptions of computer attacks. Attack scenarios are abstracted into states, which describe the security status of a system, and ....

....sensors are not available. The STAT framework and the core component have been designed and implemented. The STAT framework has been used to build a number of IDSs, including two systems for host based intrusion detection in UNIX and Windows NT environments, called USTAT and WinSTAT, respectively [5 7], a networkbased intrusion detection system called NetSTAT [14, 15] and a distributed event analyzer called NSTAT [16] Two of the systems, namely USTAT and NetSTAT, have been used in four di erent DARPA sponsored evaluations [17, 18] The CommSTAT communication infrastructure has been completed ....

Ilgun, K.: USTAT: A Real-time Intrusion Detection System for UNIX. Master 's thesis, Computer Science Department, University of California, Santa Barbara (1992)

....the audit trail a main string and the scenarios as sub strings to locate in this main string. Thus the attack is represented as a regular expression and pattern matching can do detection. A state transition approach (which may be boiled down to a regular expression) as used in STAT[16] USTAT[17], NetSTAT [18] Graphbased detection trying to build a graph with particular events, as used in GrIDS (Graphbased Intrusion Detection System) 19] and Petri Nets approaches are variants of the same. Thus, these classifications try to define the various dimensions of an intrusion detection ....

I. Koral, "USTAT: A Real-time Intrusion Detection System for UNIX," Technical Report TRCS93-26, Computer Science Department, University of California, Santa Barbara, CA, 1993.

....because they have solved analog problems in domains as computational biology and information retrieval. In intrusion detection, pattern matching algorithms have been proposed as search engines in two di erent intrusion detection models. One is based in the concept of state transition analysis [9, 12] and the the other uses the computer immunology approach proposed in [8] We give an example to illustrate how the pattern matching algorithms presented below can be used to solve an intrusion detection problem. Auditable events in the target system can be seen as letters of an alphabet and the ....

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. Master's thesis, Computer Science Dept., University of California, Santa Barbara, July 1992.

....corresponding connections by a network intrusion detection model, to yield a higher accuracy. As in the case of building network intrusion detection models, we also need to first perform a sequence of data preprocessing tasks on the raw BSM data. We extended the preprocessor component of USTAT [ Ilgun, 1992 ] to process the binary BSM data into ASCII event data. Table 7.15 shows examples of the event records. Here a means the value is not given in the original BSM audit record. Each event record contains a number of basic features, defined in Table 7.16. We developed a program to process the ....

Koral Ilgun. USTAT: A real-time intrusion detection system for Unix. Master's thesis, University of California at Santa Barbara, November 1992. 173

....corresponding connections by a network intrusion detection model, to yield a higher accuracy. As in the case of building network intrusion detection models, we also need to first perform a sequence of data preprocessing tasks on the raw BSM data. We extended the preprocessor component of USTAT [Ilgun 1992] to process the binary BSM data into ASCII event data. Table 20 shows examples of the event records. Here a means the value is not given in the original BSM audit record. Each event record contains a number of basic features, defined in Table 21. We developed a program to process the event ....

Ilgun, K. 1992. USTAT: A real-time intrusion detection system for Unix. Master's thesis, University of California at Santa Barbara.

....The state transition analysis technique has been used for both host based and network based intrusion detection. The first implementation of the host based tool, which is called USTAT, clearly demonstrated the value of the STAT approach for intrusion detection in the UNIX operating system [12, 13, 24]. However, because the original USTAT prototype was developed in an ad hoc way, a number of characteristics of this first prototype were difficult to modify or to extend to match new environments (e.g. Windows NT) The state transition analysis technique was also applied to networks. The ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.

....The state transition analysis technique has been used for both host based and network based intrusion detection. The first implementation of the host based tool, which is called USTAT, clearly demonstrated the value of the STAT approach for intrusion detection in the UNIX operating system [12, 13, 24]. However, because the original USTAT prototype was developed in an ad hoc way, a number of characteristics of this first prototype were difficult to modify or to extend to match new environments (e.g. Windows NT) The state transition analysis technique was also applied to networks. The ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

....R i is formalized as follows: R i = AsPs AsPs (1 As )Pg In Example 1, if we keep P i at 0.90, R i is 96.5 . 2. 2 FOR SIGNATURE BASED DETECTION We specify a signature as a sequence of events leading from an initial limited access state to a final compromised state [Porras and Kemmerer, 1992, Ilgun, 1993, Ilgun et al. 1995, Shieh and Gligor, 1991, Shieh and Gligor, 1997, Lin et al. 1998] Each event causes a state transition from one state to another state. We identify a signature with length n, denoted Sig(n) as Sig(n) s 0 E 1 s 1 : E n s n , where E i is an event and s i is a state, and E ....

Ilgun, K. (1993). Ustat: A real-time intrusion detection system for unix. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA.

....R i is formalized as follows: R i = AsPs AsPs (1 As )Pg In Example 1, if we keep P i at 0.90, then R i is 96.5 . 2. 2 Intrusion Con nement for Signature Based Detection We de ne a signature as a sequence of events leading from an initial limited access state to a nal compromised state [PK92, Ilg93, IKP95, SG91, SG97, LWJ98] Each event causes a transition 6 from one state to another. We identify a signature with length n, denoted Sig(n) as Sig(n) s 0 E 1 s 1 : E n s n , where E i is an event and s i is a state, and E i causes the state transition from s i 1 to s i . For simplicity, ....

....context suspicious access actions need not be synchronized. 7 Related Work A substantial body of work has been done on intrusion detection [Lun93, MHL94, LM98] based on either detecting deviations from expected statistical pro les [JV94] or pattern matching against known methods of attack [Ilg93, GL91, PK92, IKP95, SG91, SG97, LWJ98] In [JV94] the idea of setting multiple alert levels is proposed, where each alert level corresponds to a speci c degree of anomaly and di erent actions are taken at each alert level. However, the issues of what actions should be taken at each level and how ....

K. Ilgun. Ustat: A real-time intrusion detection system for unix. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1993.

....For example, in an attack scenario describing a network port scanning attempt, a typical signature action would include the TCP segments used to test the TCP ports of a host. The state transition analysis technique has been applied to host based intrusion detection, and a tool, called USTAT [5, 6, 13], has been developed. USTAT uses state transition representations as the basis for rules to interpret changes in a computer system s state and to detect intrusions in real time. The changes in the computer system s state are monitored by leveraging off of the auditing facilities provided by ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.

....For example, in an attack scenario describing a network port scanning attempt, a typical signature action would include the TCP segments used to test the TCP ports of a host. The state transition analysis technique has been applied to host based intrusion detection, and a tool, called USTAT [5, 6, 13], has been developed. USTAT uses state transition representations as the basis for rules to interpret changes in a computer system s state and to detect intrusions in real time. The changes in the computer system s state are monitored by leveraging off of the auditing facilities provided by ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

....and in the present author s opinion lack merit. One cannot make speci c claims about di erences in eciency between an existing system, and a proposed one, without gures, based on the kind of loose argumentation presented here. 2.11 USTAT State transition analysis 2. 11.1 Introduction USTAT [23, 24] is a mature prototype implementation of the state transition analysis approach to intrusion detection. State transition analysis takes the view that the computer is initially in some secure state, and via a number of penetrations, modeled as state transitions, the computer ends up in a ....

Koral Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993 IEEE Symposium on Security and Privacy, pages 16-28, Oakland, California, May 24-26, 1993. IEEE Computer Society Press.

.... [Sma88] 1988 non real batch host passive centralised centralised low low MIDAS [SSHW88] 1988 real continuous host passive centralised centralised low low Hyperview [DBS92] 1992 real continuous host passive centralised centralised low low f g h i j USTAT [Ilg93] 1993 real continuous host passive centralised centralised low low DPEM [KFL94] 1994 real batch host passive distributed distributed low low CSM [WP96] 1996 real continuous host active distributed distributed low low Janus [GWTB96] 1996 real continuous host ....

....language are applied to each audit record sequentially. They encapsulate all the relevant knowledge about past results of the analysis in the form of new rules, and they are active only once, requiring explicit re instantiation when they have fired. A. 11 USTAT State transition analysis USTAT [Ilg93, IKP95] is a mature prototype implementation of the state transition analysis approach to intrusion detection. State transition analysis takes the view that the computer initially exists in a secure state, but as a result of a number of penetrations modelled as state transitions it ends up ....

Koral Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993 IEEE Symposium on Security and Privacy, pages 16--28, Oakland, California, 24--26 May 1993. IEEE Computer Society Press.

....from the execution of an attack scenario would prevent the attack from completing successfully. Typical examples of signature actions include reading, writing, and executing les. The state transition analysis technique has been applied to host based intrusion detection, and a tool, called USTAT [24, 11, 12], has been developed. USTAT uses state transition diagrams as the basis for rules to interpret changes in a computer system s state and detect intrusions in real time. The changes in the computer system s state are monitored by leveraging o of the auditing facilities provided by securityenhanced ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.

....from the execution of an attack scenario would prevent the attack from completing successfully. Typical examples of signature actions include reading, writing, and executing les. The state transition analysis technique has been applied to host based intrusion detection, and a tool, called USTAT [24, 11, 12], has been developed. USTAT uses state transition diagrams as the basis for rules to interpret changes in a computer system s state and detect intrusions in real time. The changes in the computer system s state are monitored by leveraging o of the auditing facilities provided by securityenhanced ....

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

....damage is done to the system. This preemption is possible only with real time analysis. The major issue in real time analysis, however, is whether USTAT will be fast enough to catch up with the audit records when the user load is high. The results of tests focusing on this issue are presented in [Ilg 93] USTAT s ability to detect cooperative attacks, to detect penetrations, the steps of which may span more than one user session, and its ability to foresee an impending compromise distinguish it from other rule based penetration identification systems. The components of USTAT were briefly ....

K. Ilgun, "USTAT: A Real-time Intrusion Detection System for UNIX," Proceeding of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1993.

....identified with its full path, and the Target field is effective only if the action is Hardlink or Rename. All of the fields in a USTAT audit record can be obtained directly from the BSM audit records. For an in depth discussion of BSM features and audit records as regards to USTAT, refer to [Ilg 92] There are 239 different events that are audited by BSM. Out of these, only 28 events are used by the preprocessor and mapped onto 10 different USTAT actions. The inference engine operates using these 10 action types. The preprocessor also takes the return value of an event into account, ....

....Using the data produced by the decision engine the SSO can foresee an impending compromise and has enough information to either take preemptive action, or to take precautions to prevent future attacks of the same nature. The complete details of the USTAT implementation can be found in [Ilg 92, IKP 95] III. Distributed STAT The Reliable Software Group at UCSB is currently extending USTAT to be run on audit data collected on multiple hosts. The resulting system, called NSTAT, uses a multi threaded client server model where audit data is collected from multiple clients and fed to a ....

K. Ilgun, "USTAT: A Real-time Intrusion Detection System for UNIX," Master's Thesis, Computer Science Department, University of California, Santa Barbara, CA, Nov. 1992.

.... Multics Intrusion Detection and Alerting System (MIDAS) 25] and Los Alamos Network Anomaly Detection and Intrusion Reporter (NADIR) 11] Many researchers seek new general methods for intrusion detection, and their contributions are based on a wide range of techniques: state transition analysis [12, 13, 22], AI expert systems [3, 11, 17, 26] statistical profiling [14] immune system models [7, 8] data mining techniques [19] and various mixtures of neural networks, genetic algorithms and fuzzy logic [10, 24] Many of these approaches have not been robust, or at least it has been difficult to test ....

K Ilgun, "USTAT: A Real-time Intrusion Detection System for UNIX," Proceedings of 1993 IEEE Symposium on Research in Security and Privacy pp 16--28

....Several approaches to misuse detection have been tried in the past. They include language based approaches to represent and detect intrusions [HCMM92] developing an API 1 for the same [Sma95] expert systems [SSHW88, Sma88, BK88] and high level state machines to encode and match signatures [Ilg92, PK92]. We proposed using a pattern matching approach to the representation and detection of intrusion signatures [KS94c] This approach resulted from a study of a large number of common intrusions with the aim of representing them as signatures [KS94a] The signatures were then classified into ....

....Sequencing and partial order constraints on events can be represented in a direct declarative manner. Systems that use expert system rules to encode misuse activity only do so indirectly because it is hard or inefficient to specify temporal relationships between facts in rule antecedents. [Ilg92, PK92] permit the specification of state transition diagrams to represent misuse activity but their transition events are high level actions that do not directly correspond to system generated events. ASAX [HCMM92] is the closest to our approach but ASAX is less declarative. In specifying patterns in ....

Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

....of California, Santa Barbara, CA 93106 USA; emaih kemm cs.ucsb.edu. P.A. Porras is with The Aerospace Corporation, P.O. Box 92957, Mail Stop: M1 055, Los Angeles, CA 90009 2957, USA; emaih porras aero.org This paper is an extended version of two previous conference papers by the same authors [15,28]. due to the enormous quantity of data collected. In order to provide enough information to establish accountability and enable damage assessment, the audit collection mechanisms must record the occurrences of all security relevant events. 1 Because of the large volume of data generated, manual ....

K. Ilgun, "USTAT: A Real-Time Intrusion Detection System for UNIX," Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 16-28, May 1993.

No context found.

K. Ilgun, "USTAT: A Real-Time Intrusion Detection System for UNIX," Masters Thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

No context found.

Koral Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993.

No context found.

Ilgun, K. USTAT: A Real-Time Intrusion Detection System for UNIX. IEEE Symposium on Security and Privacy, pp. 16--28, Oakland, CA, May 1993.

No context found.

K. Ilgun, "USTAT: A Real-Time Intrusion Detection System for UNIX," Proc. IEEE Symp. Research on Security and Privacy, May 1993.

No context found.

Ilgun, K. USTAT: A Real-Time Intrusion Detection System for UNIX, Master Thesis, University of California, Santa Barbara, 1992. 21

No context found.

K. Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. Master Thesis, University of California, Santa Barbara, November 1992.

No context found.

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.

No context found.

Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. In Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1993.

No context found.

Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. Master 's thesis, Department of Computer Science, University of California at Santa Barbara, July 1992.

No context found.

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993. 40

No context found.

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. Master's thesis, Computer Science Department, University of California, Santa Barbara, July 1992.

No context found.

Koral Ilgun. USTAT: A real-time intrusion detection system for Unix. Master's thesis, University of California at Santa Barbara, November 1992.

No context found.

K Ilgun, "USTAT: A Real-time Intrusion Detection System for UNIX," Proceedings of 1993 IEEE Symposium on Research in Security and Privacy pp 16--28

No context found.

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993.

No context found.

K. Ilgun. USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993.

No context found.

Ilgun, K. (1993). USTAT : A Real-Time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Security and Privacy, pages 1629.

No context found.

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of IEEE Symposium on Security and Privacy, pages 16--28, Oakland, CA, May 1993.

No context found.

K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of IEEE Symposium on Security and Privacy, pages 16--28, Oakland, CA, May 1993.

No context found.

Ilgun, K.: USTAT: A Real-time Intrusion Detection System for UNIX. In: Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA (1993)

No context found.

K. Ilgun. Ustat: A real-time intrusion detection system for UNIX. Master's thesis, Computer Science, UCSB, July, 1992.

No context found.

K. Ilgun. Ustat: A real-time intrusion detection system for UNIX. Master's thesis, Computer Science, UCSB, July, 1992.

No context found.

Conference. #Ilgun, 1992# Ilgun, K. #1992#. Ustat: A real-time intrusion detection system for unix. Master's thesis, Computer Science Dept, UCSB.

No context found.

Ilgun, K. (1993). USTAT: A Real-time Intrusion Detection System for UNIX. In Proceedings of the IEEE Symposium on Research in Security and Privacy. pp. 16-28.

No context found.

K. Ilgun, "USTAT: A Real-time Intrusion Detection System for UNIX", Proc. of the IEEE Symposium on Research in Security and Privacy, pp.16-28, May 1993.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC