This paper presents a new approach to representing and detecting computer penetrations in real-time. The approach, called state transition analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for and the compromise of a penetration and present only the critical events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule-based expert system for detecting penetrations, called the State Transition Analysis Tool (STAT). The design and implementation of a UNIX-specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly, STAT is compared to the functionality of comparable intrusion detection tools.

This thesis presents the design and implementation of a real-time intrusion detection tool called Ustat, a State Transition Analysis Tool for UNIX. The original design was first developed by Phillip A. Porras and presented in [Porr91] as STAT, a State Transition Analysis Tool. STAT is a new model for representing computer penetrations, and the model is applied to the development of a real-time intrusion detection tool. In STAT, a penetration is identified as a sequence of state changes that take the computer system from some initial state to a target compromised state. In this document, the development of the first Ustat prototype, which is for SunOS 4.1.1, is described. Ustat makes use of the audit trails that are collected by the C2 Basic Security Module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule...

Network-based attacks are becoming more common and sophisticated. For this reason, intrusion detection systems are now shifting their focus from the hosts and their operating systems to the network itself. Network-based intrusion detection is challenging because network auditing produces large amounts of data, and dierent events related to a single intrusion may be visible in dierent places on the network. This paper presents a new approach that applies the State Transition Analysis Technique (STAT) to network intrusion detection. Network-based intrusions are modeled using state transition diagrams in which states and transitions are characterized in a networked environment. The target network environment itself is represented using a model based on hypergraphs. By using a formal model of both the network to be protected and the attacks to be detected the approach is able to determine which network events have to be monitored and where they can be monitored, providing automatic suppo...

STATL is an extensible state/transition-based attack description language designed to support intrusion detection. The language allows one to describe computer penetrations as sequences of actions that an attacker performs to compromise a computer system. A STATL description of an attack scenario can be used by an intrusion detection system to analyze a stream of events and detect possible ongoing intrusions. Since intrusion detection is performed in different domains (i.e., the network or the hosts) and in different operating environments (e.g., Linux, Solaris, or Windows NT), it is useful to have an extensible language that can be easily tailored to different target environments. STATL defines domain-independent features of attack scenarios and provides constructs for extending the language to describe attacks in particular domains and environments. The STATL

Network-based attacks have become common and sophisticated. For this reason, intrusion detection systems are now shifting their focus from the hosts and their operating systems to the network itself. Network-based intrusion detection is challenging because network auditing produces large amounts of data, and different events related to a single intrusion may be visible in different places on the network. This paper presents NetSTAT, a new approach to network intrusion detection. By using a formal model of both the network and the attacks, NetSTAT is able to determine which network events have to be monitored and where they can be monitored.

This paper investigates the role of negative selection in an artificial immune system (AIS) for network intrusion detection. The work focuses on the use of negative selection as a network traffic anomaly detector. The results of the negative selection algorithm experiments show a severe scaling problem for handling real network traffic data. The paper concludes by suggesting that the most appropriate use of negative selection in the AIS is as a filter for invalid detectors, not the generation of competent detectors. 1

: This report summarizes the analysis of survivability-related requirements and their interdependence. It also identifies inadequacies in existing commercial systems and the absence of components that hinder the attainment of survivability. It recommends specific architectural structures and other approaches that can help overcome those inadequacies. The field of endeavor addressed in this report is inherently open ended. New research results and new software components are emerging at a rapid pace. For this reason, the report stresses fundamentals, and is intended to be a guide to certain principles and architectural directions whose systematic use can lead to better survivability. In that spirit, the report is intended to serve as a coherent resource from which many further resources can be gleaned by following the cited references and URLs. The report is quite modest in its intent. It does not try to solve all the problems of how to develop, maintain, and use highly survivable syste...

This paper describes a suite of intrusion detection tools developed by the Reliable Software Group at UCSB. The tool suite is based on the State Transition Analysis Technique (STAT), in which computer penetrations are specified as sequences of actions that cause transitions in the security state of a system. This general approach has been extended and tailored to perform intrusion detection in different domains and environments. The most recent STATbased intrusion detection systems were developed following a framework-based approach, and the resulting design uses a "core" module that embodies the domain-independent characteristics of the STAT approach. This generic core is extended in a well-defined way to implement intrusion detection systems for different domains and environments. The approach supports reuse, portability, and extendibility, and it allows for the optimization of critical functionalities. 1. Introduction The evolution of computer networks fostered a deep change in t...

Log auditing is a basic intrusion detection mechanism, whereby attacks are detected by uncovering matches of sequences of events against signatures. We argue that this problem is naturally expressed as a model-checking problem against linear Kripke models. A variant of the classic linear time temporal logic of Manna and Pnueli with first-order variables is first investigated in this framework. In passing, we show that model-checking this logic against linear models is NP-complete -- polynomial-time in the propositional case --, which contrasts with the fact that it is PSPACE-complete against general models. Despite this improvement, this logic is in dire need of refinement, as far as expressiveness and efficiency are concerned. We therefore propose a second, less standard logic consisting of flat, Wolperstyle linear-time formulae. We describe an efficient online algorithm, making the approach attractive for complex log auditing tasks. We present a few optimizations that the use of a formal semantics affords us, using abstract interpretation techniques, and report briefly on preliminary practical experience.

ion-Based Misuse Detection: High-Level Specifications and Adaptable Strategies Jia-Ling Lin, X. Sean Wang, Sushil Jajodia Center for Secure Information Systems George Mason University, Fairfax, VA 22030-4444 {jllin,xywang,jajodia}@gmu.edu http://isse.gmu.edu/csis Abstract A typical misuse detection system contains (1) a language for describing known techniques (called misuse signatures) used by attackers to penetrate the target system, and (2) monitoring programs for detecting the presence of an attack based on the given misuse signatures. In most of the systems appeared in the literature, however, the description of misuses is often in terms of a low-level language (i.e., in terms of audit records of the target system), that either has limited expressiveness or is difficult to use. Moreover, the monitoring algorithms are often fixed and do not adapt to a changing operating environment or to objectives of the site security officer. To overcome these limitations, this paper defines a ...