T.F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst, and S. Listgarten, Knowledge-based intrusion detection, Proceedings of the 1989.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....that supplement their anomaly detection components with expert penetration rules include IDES, NADIR and W S. IDES has a rule base component that allows one to represent suspicious behavior based on site specific security policies, known security flaws, and knowledge of past intru sions [18]. The IDES expert system component evaluates audit records as they are produced. From the perspective of the expert system, the audit records are viewed as facts, which map to rules in the rule base. A binding analysis is performed to determine if the fact rule binding is consis tent. That is, ....

T.F. Lunt, R. Jagannathan, R. Lee, and A. Whitehm'st, "Knowledge-Based Intrusion Detection," Proceeding of the 1989.

....if there exists a login entry such that user is userid and time stamp is login time and (unusual login time userid login time) then remember a user login anomaly such that user is userid and time stamp is login time) Figure 2b. Unusual login time rule 4.1. 2 IDES NIDES Initially, IDES [Lunt89] was designed with a simple rule based system to detect intrusion attempts using intrusion scenarios described by rule sets. The rule based component was based on the same Production Based Expert System Toolset (P BEST) that MIDAS used. The rule base was divided into two parts for easier ....

Lunt, T., R. Jaganathan, R. Lee, A. Whitehurst and S. Listgarten. "Knowledge-Based Intrusion Detection." Proceedings of the

....behaviour is not new and several Artificial 1 The term is used in its broad commercial context, rather than the logical unit of work with ACID properties defined in Transaction Processing. Intelligence techniques have been employed to address it. The term Classification refers to techniques [3, 9, 12, 13, 15, 20, 21] which derive some patterns of normal activity within a specific domain and then distinguish data into normal or exceptional based on the set of known patterns. Usually, those data have been subjected to a Data Reduction preprocessing [3, 6, 15, 17, 20] Data Reduction techniques aim to analyse a ....

Lunt, T. and Jaganathan, R. and Lee, R. and Whitehurst, A. and Listgarten S., "KnowledgeBased Intrusion Detection", Proceedings of the AI Systems in Government Conference, 1989.

....for analyzing data generated by the host. One of the rst host based intrusion detection systems implemented was IDES [15, 16, 31, 34] which used both a statistical detection engine based on Denning s model [14] and a rulebased expert system for detecting known intrusions by their signatures [35]. Kumar [29] used pattern matching techniques to detect and classify attacks. More recently, Forrest et al. 18] have applied classi cation techniques to sequences of Unix system calls to identify anomalous behavior in Unix processes. Also, Lane and Brodley [30] have used classi cation of command ....

Teresa F. Lunt, R. Jagannathan, Rosanna Lee, Alan Whitehurst, and Sherry Listgarten. Knowledge based Intrusion Detection. In Proceedings of the Annual AI Systems in Government Conference, Washington, DC, March 1989.

.... of a state transition diagram) and in using the event records produced by auditing in order to validate the model [9, 10] In the rule based approach, knowledge about what is to be considered suspicious activity is represented by rules that define conditions on and relationships among events [20, 15]. The main problem with the rule based approach is that every audit record represents a fact. Therefore the facts base tend to be enormous, and analysis of facts may require very complex computations. If timely response to system abuse is not required, hours of a single (complex) inference engine ....

T. F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst, and S. Listgarten. Knowledge-Based Intrusion Detection. In Proceedings of the AI Systems in Government Conference, March 1989. 14

....System (MIDAS) 18] which performed misuse detection on the National Computer Security Center s Internet connected mainframe, Dockmaster. P BEST was later enhanced at SRI by Whitehurst, and later by Fred Gilham, and was employed in an early version of the Intrusion Detection Expert Systems (IDES) [14], and later Next Generation IDES (NIDES) 1] See Section 3 for details on the application of P BEST on these systems. The P BEST toolset consists of a rule translator, a library of runtime routines, and a set of garbage collection routines. When using P BEST, rules and facts are written in the ....

....led to the development of a prototype IDES, capable of providing real time detection of security violations on single target host systems. Originally, IDES only used statistical anomaly detection [5, 12] but later a component for misuse detection based on static knowledge was added, using P BEST [14]. The two components were fed the same audit records, but performed their inferences and reporting independently. Next, SRI began a comprehensive effort to enhance, optimize, and re engineer the earlier IDES prototype into a production quality intrusion detection system called NextGeneration ....

T. F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst, and S. Listgarten. Knowledge-based intrusion detection. In Proceedings of the Annual AI Systems in Government Conference, pages 102--107, Washington, D.C., Mar. 27--31, 1989. IEEE Computer Society Press.

....Current penetration identification tools are also limited in their ability to identify even semi sophisticated attacks, such as those performed by cooperating attackers. The IDES rule base, for example, does not take into consideration two or more users working together to execute a penetration [LJL 89] Lastly, current penetration rule bases are neither easily created nor easily updated. In general, expert rule bases tend to be nonintuitive, requiring the skills of experienced rule base programmers to update them; penetration rule bases are no exception. Penetration rule bases are created by ....

T.F. Lunt, R. Jagannathan, R. Lee, and A. Whitehurst, "Knowledge-Based Intrusion Detection," Proceeding of the 1989 AI Systems in Government Conference, March 1989.

....which encodes knowledge about past intrusions, known system vulnerabilities, and security policy. IDES rules are encoded in an expert system shell. As information is gathered, the expert determines whether or not any rules have been satisfied, then chooses the most appropriate rule to select [LuJa]. DeBe] propose an expert system in connection with a neural network. The neural network component reports anomalies to the expert system, which also employs data not used by the net. The expert contains a rule base similar to that used in IDES, with known attacks and system policy information. ....

T. Lunt, R. Jaganathan, R. Lee, A. Whitehurst, S. Listgarten. "Knowledge-Based Intrusion Detection." Proceedings of the AI Systems in Government Conference, 1989.

....work was funded by the Division of INFOSEC Computer Science, Department of Defense. A Pattern Matching Model for Misuse Intrusion Detection high CPU activity, or use of peripheral devices not normally used. This approach has been studied extensively and implemented in a large number of systems [19, 18, 12, 14, 5, 8]. It attempts to quantify the acceptable behavior and thus identify abnormal behavior as intrusive. The other technique of detecting intrusions, misuse detection, attempts to encode knowledge about attacks as well defined patterns and monitors for the occurrence of these patterns. For example, ....

Teresa F. Lunt, R. Jagannathan, Rosanna Lee, Alan Whitehurst, and Sherry Listgarten. Knowledge based Intrusion Detection. In Proceedings of the Annual AI Systems in Government Conference, Washington, DC, March 1989.

....computer system and masquerade as a legitimate user. At this point, detection of an intruder becomes increasingly difficult, especially with computer systems that have a large number of users. Quite a bit of research has been conducted in attempts to statistically model user behavior (Smaha 1988; Lunt et al. 1989; Vaccaro 1989; Anderson et al. 1994b) Statistical models, or profiles, once acquired, are subsequently used to verify that a user s recent behavior is consistent with past behavior. While a statistical approach to this problem is certainly valid, there are advantages to the machine learning ....

....these categories with justifications and caveats. Statistical Approaches Denning s (1987) seminal paper laid the foundations for the Intrusion Detection Expert System (IDES) which uses a statistical component for anomaly detection and a rule based component for detecting known intruder behaviors (Lunt et al. 1989). The IDES system later evolved into the Next Generation Intrusion Detection Expert System (NIDES) both of which were developed at SRI International (Anderson et al. 1994a) Figure 2.3 shows the NIDES architecture. Statistical Component Rulebased Component Audit Data Generation User Interface ....

Lunt, T. F.; Jagannathan, R.; Lee, R.; Whitehurst, A.; and Listgarten, S. (1989) Knowledge-based intrusion detection. Proceedings of the Annual Artificial Intelligence Systems in Government Conference, 102--107.

....of IDES has been followed and discussed in several papers over several years. A concise, nontechnical overview of IDES and other similar intrusion detection projects is given by Kerr [35] More detail on the design and implementation of IDES is given in Lunt and Jagannathan [41] and Lunt, et al. [42]. 15 Another system that is based on Denning s intrusion detection model is NIDX [3] The IDES model is very system independent. NIDX extends this model to include system dependent knowledge such as a description of file systems and rules regarding system policies. 1.5.6 Network Management ....

Lunt, T. F., Jagannathan, R., Lee, R., Whitehurst, A., and Listgarten, S. Knowledge-based intrusion detection. In Proceedings of the Annual AI Systems in Government Conference (1989), IEEE Computer Society Press, pp. 102--107.

.... incremental learning is needed in application areas such as intelligent agents and active vision, the application considered here is a dynamic knowledge based system for computer intrusion detection [10] Quite a bit of research has been conducted in attempts to statistically model user behavior [11, 12, 13, 14]. Statistical models, or profiles, once acquired, are subsequently used to verify that a user s recent behavior is consistent with past behavior. While a statistical approach to this problem is certainly valid, there are advantages to the machine learning approach taken here. These advantages ....

T. F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst, and S. Listgarten, "Knowledge-based intrusion detection," Proceedings of the Annual Artificial Intelligence Systems in Government Conference, pp. 102--107, 1989.

No context found.

T.F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst, and S. Listgarten, Knowledge-based intrusion detection, Proceedings of the 1989.

No context found.

Teresa F. Lunt, R. Jagannathan, Rosanna Lee, and Alan Whitehurst. Knowledge-Based Intrusion Detection. In Proceedings of the 1989 AI Systems in Government Conference, Washington, DC, March 1989.

No context found.

Lunt T., Jagannathan R., Lee R., Whitehurst A., Listgarten S., Knowledge based Intrusion Detection, In Proceedings of the Annual AI Systems in Government Conference (1989), Washington DC.

No context found.

T. F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst and S. Listgarten, Knowledge based Intrusion Detection", Proceedings of Annual AI Systems in Government Conference, Washington D. C., March 1989.

No context found.

Teresa F. Lunt, R. Jagannathan, Rosanna Lee, Alan Whitehurst, and Sherry Listgarten. Knowledge based Intrusion Detection. In Proceedings of the Annual AI Systems in Government Conference, Washington, DC, March 1989.

No context found.

T.F. Lunt, R. Jagannathan, R. Lee, A. Whitehurst & S. Listgarten "Knowledge Based Intrusion Detection", Proceedings of the 1989 AI Systems in Government Conference, Washington, DC., March 1989.

No context found.

Teresa F. Lunt, R. Jagannathan, Rosanna Lee, Alan Whitehurst, and Sherry Listgarten. Knowledge based Intrusion Detection. In Proceedings of the Annual AI Systems in Government Conference, Washington, DC, March 1989.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC