A prototype real-time intrusion-detection expert system

The design and implementation of a prototype intrusion-detection expert system (IDES) are described. IDES is based on the concept that an intrusion manifests itself as a departure from expected behavior for a user. The prototype monitors users on a remote system, using audit records that characterize their activities. It adaptively learns the normal behavior of each user and detects and reports anomalous user behavior in real time.<<ETX>>