State Transition Analysis: A Rule-Based Intrusion Detection Approach

The paper presents a new approach to representing and detecting computer penetrations in real time. The approach, called state transition analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for and the compromise of a penetration and present only the critical events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule based expert system for detecting penetrations, called the state transition analysis tool (STAT). The design and implementation of a Unix specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly, STAT is compared to the functionality of comparable intrusion detection tools. >

[1]  Phillip A. Porras,et al.  STAT -- A State Transition Analysis Tool For Intrusion Detection , 1993 .

[2]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  James Martin,et al.  Building expert systems: a tutorial , 1988 .

[4]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Teresa F. Lunt,et al.  Knowledge-based intrusion detection , 1989, [1989] Proceedings. The Annual AI Systems in Government Conference.

[6]  Shiuh-Pyng Shieh,et al.  A pattern-oriented intrusion-detection model and its applications , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Eugene H. Spafford,et al.  The COPS Security Checker System , 1990, USENIX Summer.

[8]  Gunar E. Liepins,et al.  Detection of anomalous computer session activity , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[9]  H. S. Teng,et al.  Adaptive real-time anomaly detection using inductively generated sequential patterns , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  J. Noelle McAuliffe,et al.  Is your computer being misused? A survey of current intrusion detection system technology , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[11]  T.F. Lunt,et al.  Real-time intrusion detection , 1989, Digest of Papers. COMPCON Spring 89. Thirty-Fourth IEEE Computer Society International Conference: Intellectual Leverage.

[12]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[13]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  K. A. Jackson,et al.  An expert system application for network intrusion detection , 1991 .