Title :
Intrusion and anomaly detection in trusted systems
Author :
Winkler, J.R. ; Page, W.J.
Author_Institution :
Planning Res. Corp., McLean, VA, USA
Abstract :
A real-time network and host security monitor that allows both interactive and automatic audit trail analysis is described. Audit records, i.e. tokens of actual user behavior, are examined in the context of user profiles, i.e. measures of expected behavior. This system combines a set of statistical tools for both interactive and automatic analysis of audit data, an expert system that works in conjunction with the statistical tools, and a hierarchical set of audit indicators which are based on an indications and warning model. The application of the model makes it possible both to collect audit events at a fine level of granularity and to effectively direct intrusion anomaly detection by defining levels of concern. A set of discrete tools, capabilities, and components is implemented in a hybrid design utilizing control concepts from operating systems theory and problem-solving concepts from blackboard artificial-intelligence systems
Keywords :
artificial intelligence; expert systems; real-time systems; security of data; anomaly detection; automatic audit trail analysis; blackboard artificial-intelligence systems; discrete tools; expert system; granularity; host security monitor; interactive trail analysis; intrusion detection; operating systems theory; problem-solving concepts; real-time network; statistical tools; trusted systems; user behavior; user profiles; Computerized monitoring; Data analysis; Data security; Government; Information analysis; Information security; Information systems; Intelligent networks; Intrusion detection; Performance analysis;
Conference_Titel :
Computer Security Applications Conference, 1989., Fifth Annual
Conference_Location :
Tucson, AZ
Print_ISBN :
0-8186-2006-4
DOI :
10.1109/CSAC.1989.81023
