. After a brief survey of the problems related to audit trail analysis and of some approaches to deal with them, the paper outlines the project ASAX which aims at providing an advanced tool to support such analysis. One key feature of ASAX is its elegant architecture build on top of a universal analysis tool allowing any audit trail to be analysed after a straight format adaptation. Another key feature of the project ASAX is the language RUSSEL used to express queries on audit trails. RUSSEL is a rulebased language which is tailor-made for the analysis of sequential files in one and only one pass. The conception of RUSSEL makes a good compromise with respect to the needed efficiency on the one hand and to the suitable declarative look on the other hand. The language is illustrated by examples of rules for the detection of some representative classical security breaches. 1 Introduction An ideal level of security 1 could be attained by a computer system if the concerned operating system ...

Abstract not found

An implemented system for on-line analysis of multiple distributed data streams is presented. The system is conceptually universal since it does not rely on any particular platform feature and uses format adaptors to translate data streams into its own standard format. The system is as powerful as possible (from a theoretical standpoint) but still efficient enough for on-line analysis thanks to its novel rule-based language (RUSSEL) which is specifically designed for efficient processing of sequential unstructured data streams. In this paper, the generic concepts are applied to security audit trail analysis. The resulting system provides powerful network security monitoring and sophisticated tools for intrusion/anomaly detection. The rulebased and command languages are described as well as the distributed architecture and the implementation. Performance measurements are reported, showing the effectiveness of the approach. 1 Introduction Auditing distributed environments is useful to...

Computer security is a topic of growing concern because, on the one hand, the power of computers continues to increase at exponential speed and all computers are virtually connected to each other and because, on the other hand, the lack of reliability of software systems may cause dramatic and unrecoverable damage to computer systems and hence to the newly emerging computerized society. Among the possible approaches to improve the current situation, expert systems have been advocated to be an important one. Typical tasks that such expert systems attempt to achieve include finding system vulnerabilities and detecting malicious behaviours of users. In this paper, we extend our intrusion detection system ASAX with a deductive subsystem that allows us to assess the security level of a software configuration on a real time basis. By coupling the two subsystems --- intrusion detection and configuration analysis --- we moreover achieve a better tuning of the intrusion detection since the syst...

Computer security is a topic of growing concern because, on the one hand, the power of computers continues to increase at exponential speed and all computers are virtually connected to each other and because, on the other hand, the lack of reliability of software systems may cause dramatic and unrecoverable damage to computer systems and hence to the newly emerging computerized society. Among the possible approaches to improve the current situation, expert systems have been advocated to be an important one. Typical tasks that such expert systems can achieve include evaluating the security level of a software configuration and detecting malicious or incorrect behaviors of users. Logic programming provides a powerful formalism for knowledge representation and deductive reasoning and is therefore a good choice to build such expert systems. However general implementations of logic programming (e.g., Prolog) can be too complex and too inefficient to be used in a security context, where all...

machine instruction set : : : : : : : : : : : : : : : : 27 3.5.1 arithmetic : : : : : : : : : : : : : : : : : : : : : : : : : 28 3.5.2 relational : : : : : : : : : : : : : : : : : : : : : : : : : 29 3.5.3 assignment : : : : : : : : : : : : : : : : : : : : : : : : 29 3.5.4 audit data presence : : : : : : : : : : : : : : : : : : : 30 3.5.5 rule triggering : : : : : : : : : : : : : : : : : : : : : : 30 3.5.6 Pre-defined routine call : : : : : : : : : : : : : : : : : 33 3.5.7 C declarations : : : : : : : : : : : : : : : : : : : : : : 34 4 Overview of the syntax analyser implementation 37 4.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : 37 4.2 Analysis principles : : : : : : : : : : : : : : : : : : : : : : : : 37 4.3 Main global data structures : : : : : : : : : : : : : : : : : : : 39 4.3.1 Rule descriptors table : : : : : : : : : : : : : : : : : : 39 4.3.2 Current record table : : : : : : : : : : : : : : : : : : : 40 4.3.3 Standard library table : : : : : : : : ...

this report is to present a distributed on-line system capable of performing efficient, intelligent and network-level analysis of security audit trails in a network of SUN workstations. The distributed system is in fact an extension of ASAX ([1], [2], [3]) whose main features can be summarized by the following: