Databases Reference
In-Depth Information
states of an actual computer system, and these diagrams form the basis
of a rule-based expert system for detecting penetrations, called the state
transition analysis tool (STAT).
18
The STAT prototype is implemented
in UNIX state transition analysis tool (USTAT)
19
on UNIX-based
systems.
The keystroke monitoring technique utilizes a users keystrokes to
determine the intrusion attempt. The main approach is to pattern match
the sequence of keystrokes to some predefined sequences to detect the
intrusion. The main problems with this approach is a lack of support from
the operating system to capture the keystroke sequences. Furthermore,
there are also many ways of expressing the sequence of keystrokes for the
same attack. Some shell programs like bash, ksh have the user definable
aliases utility. These aliases make it dicult to detect the intrusion attempts
using this technique unless some semantic analysis of the commands is used.
Automated attacks by malicious executables cannot be detected by this
technique as they only analyze keystrokes.
In an expert system, knowledge about a problem domain is represented
by a set of rules. These rules consist of two parts, antecedent, which
defines when the rule should be applied and consequent, which defines
the action(s) that should be taken if its antecedent is satisfied. A rule
is fired when pattern-matching techniques determine that observed data
matches or satisfies the antecedent of a rule. The rules may recognize
single auditable events that represent significant danger to the system by
themselves, or they may recognize a sequence of events that represent an
entire penetration scenario. There are some disadvantages with the expert
system method. An intrusion scenario that does not trigger a rule will not be
detected by the rule-based approach. Maintaining and updating a complex
rule-based system can be dicult. Since the rules in the expert system
have to be formulated by a security professional, the system performance
would depend on the quality of the rules. The model-based approach
attempts to model intrusions at a higher level of abstraction than audit
trail records. The objective is to build scenario models that represent the
characteristic behavior of intrusions. This allows administrators to generate
their representation of the penetration abstractly, which shifts the burden
of determining what audit records are part of a suspect sequence to the
expert system. This technique differs from current rule-based expert system
techniques, which simply attempt to pattern match audit records to expert
rules.
