Intrusion and anomaly detection in trusted systems

Author

Winkler, J.R. ; Page, W.J.

Author_Institution

Planning Res. Corp., McLean, VA, USA

fYear

1989

fDate

4-8 Dec 1989

Firstpage

39

Lastpage

45

Abstract

A real-time network and host security monitor that allows both interactive and automatic audit trail analysis is described. Audit records, i.e. tokens of actual user behavior, are examined in the context of user profiles, i.e. measures of expected behavior. This system combines a set of statistical tools for both interactive and automatic analysis of audit data, an expert system that works in conjunction with the statistical tools, and a hierarchical set of audit indicators which are based on an indications and warning model. The application of the model makes it possible both to collect audit events at a fine level of granularity and to effectively direct intrusion anomaly detection by defining levels of concern. A set of discrete tools, capabilities, and components is implemented in a hybrid design utilizing control concepts from operating systems theory and problem-solving concepts from blackboard artificial-intelligence systems

Keywords

artificial intelligence; expert systems; real-time systems; security of data; anomaly detection; automatic audit trail analysis; blackboard artificial-intelligence systems; discrete tools; expert system; granularity; host security monitor; interactive trail analysis; intrusion detection; operating systems theory; problem-solving concepts; real-time network; statistical tools; trusted systems; user behavior; user profiles; Computerized monitoring; Data analysis; Data security; Government; Information analysis; Information security; Information systems; Intelligent networks; Intrusion detection; Performance analysis;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 1989., Fifth Annual

Conference_Location

Tucson, AZ

Print_ISBN

0-8186-2006-4

Type

conf

DOI

10.1109/CSAC.1989.81023

Filename

81023