Although a computer system's primary defense is its access controls, computer system access controls cannot be relied upon in most cases to safeguard against a penetration or insider attack. Even the most secure systems are vulnerable to abuse by insiders who misuse their privileges, and audit trails may be the only means of detecting authorized but abusive user activity. While many computer systems collect audit data, most do not have any capability for automated analysis of that data. Moreover, many systems collect large volumes of data that are not necessarily security relevant. To address the need for automated security analysis of audit trails, SRI is developing a real-time intrusion-detection expert system (NIDES). NIDES is an independent system that runs on its own workstation and processes audit data characterizing user activity received from a target system. NIDES provides a system-independent mechanism for real-time detection of security violations, whether they are initiated...

permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Helsinki University of Technology's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.