The author presents the design and implementation of a real-time intrusion detection tool, called USTAT, a state transition analysis tool for UNIX. This is a UNIX-specific implementation of a generic design developed by A. Porras and R.A. Kemmerer (1992) as STAT, a state transition analysis tool. State transition analysis is a new approach to representing computer penetrations. In STAT, a penetration is identified as a sequence of state changes that take the computer system from some initial state to a target compromised state. The development of the first USTAT prototype, which is for SunOS 4.1.1, is discussed. USTAT makes use of the audit trails that are collected by the C2 basic security module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records.<<ETX>>
[1]
Richard Forsyth,et al.
Expert systems: Principles and case studies
,
1984
.
[2]
Gunar E. Liepins,et al.
Detection of anomalous computer session activity
,
1989,
Proceedings. 1989 IEEE Symposium on Security and Privacy.
[3]
Richard A. Kemmerer,et al.
Penetration state transition analysis: A rule-based intrusion detection approach
,
1992,
[1992] Proceedings Eighth Annual Computer Security Application Conference.
[4]
Phillip A. Porras,et al.
STAT -- A State Transition Analysis Tool For Intrusion Detection
,
1993
.
[5]
N. Botten,et al.
Building expert systems — A tutorial
,
1990
.
[6]
Paul Harmon,et al.
Expert systems: tools and applications
,
1988
.