Intention modelling: approximating computer user intentions for detection and prediction of intrusions

This paper introduces and describes an innovative modelling approach which utilises models that are synthesised through approximate calculations of user actions and extensive representation of knowledge about how to perform these actions. The Intention modelling approach is based on theories of cognitive and task modelling as well as on theories of intention, rational action and plan recognition. Intention Models (IMs) have been used in the detection of malicious attacks which usually do not consist of illegal actions, but of a set of actions individually acceptable to the system which at a higher level may form non acceptable task(s). A first effort at implementing these models for a real application was for the creation of the UII system, a research prototype for the detection of anomalous behaviour of network users obtained by reasoning about the characterisation of their intentions. It was developed as an autonomous module within SECURENET, a European funded programme that aims at defending open computer systems, employing advanced techniques and methodologies.

[1]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[3]  Philip J. Barnard,et al.  Computers, Communication, and Usability: Design Issues, Research and Methods for Integrated Services , 1993 .

[4]  Ray Waddington,et al.  Task-Related Knowledge Structures: Analysis, Modelling and Application , 1988, BCS HCI.

[5]  Allen Newell,et al.  Towards real-time GOMS: a model of expert behaviour in a highly interactive task , 1994, Behav. Inf. Technol..

[6]  Gunar E. Liepins,et al.  Detection of anomalous computer session activity , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[7]  Allen Newell,et al.  The psychology of human-computer interaction , 1983 .

[8]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  James F. Allen Towards a General Theory of Action and Time , 1984, Artif. Intell..

[10]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[11]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  K. A. Jackson,et al.  An expert system application for network intrusion detection , 1991 .

[13]  Allen Newell,et al.  Computer text-editing: An information-processing analysis of a routine cognitive skill , 1980, Cognitive Psychology.

[14]  Michael E. Bratman,et al.  What is intention , 1987 .

[15]  C. Raymond Perrault,et al.  Beyond Question-Answering. , 1981 .

[16]  Philip J. Barnard,et al.  Approximate Modelling of Cognitive Activity with and Expert System: A Theory-Based Strategy for Developing an Interactive Design Tool , 1988, Computer/law journal.

[17]  Hector J. Levesque,et al.  Intention is Choice with Commitment , 1990, Artif. Intell..

[18]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[19]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[20]  Shiuh-Pyng Shieh,et al.  A pattern-oriented intrusion-detection model and its applications , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Henry Kautz,et al.  A circumscriptive theory of plan recognition , 1990 .