A Study in the Feasibility of Performing Host-Based Anomaly Detection on Windows NT

Windows NT has become the dominant desktop platform. To date, host-based intrusion detection research has focused on Unixavored platforms. As a result, we have a large gap between the platform people use in practice and the platforms on which intrusion detection research is active. In this paper, we examine the feasibility of applying host-based intrusion detection to the Windows NT platform. Speci cally, we are interested in applying anomaly detection algorithms to Windows NT processes in order to detect novel attacks against these systems. We describe our previous experiences in program-based anomaly detection on Sun Microsystem's Solaris platform and describe an adaptation of this technique to the Windows NT platform. We describe the relevant issues in performing program-based anomaly detection on the Windows NT platform and the auditing facilities available on the platform for supporting this approach.