Using Unix system auditing for detecting network intrusions
Intrusion Detection Systems (IDSs) are designed to detect actions of individuals who use computer resources without authorization as well as legitimate users who exceed their privileges. This paper describes a novel approach to IDS research, namely a decision aiding approach to intrusion detection. The introduction of a decision tree represents the logical steps necessary to distinguish and identify different types of attacks. This tool, the Intrusion Decision Aiding Tool (IDAT), utilizes IDS-based attack models and standard Unix audit data. Since attacks have certain characteristics and are based on already developed signature attack models, experienced and knowledgeable Unix system administrators know what to look for in system audit logs to determine if a system has been attacked. Others, however, are usually less able to recognize common signatures of unauthorized access. Users can traverse the tree using available audit data displayed by IDAT and general knowledge they possess to reach a conclusion regarding suspicious activity. IDAT is an easy-to-use window based application that gathers, analyzes, and displays pertinent system data according to Unix attack characteristics. IDAT offers a more practical approach and allows the user to make an informed decision regarding suspicious activity.
- Research Organization:
- Lawrence Livermore National Lab., CA (United States)
- Sponsoring Organization:
- USDOE, Washington, DC (United States)
- DOE Contract Number:
- W-7405-ENG-48
- OSTI ID:
- 10175222
- Report Number(s):
- UCRL-JC-113562; CONF-9305151-9; ON: DE93017186; TRN: 93:002691
- Resource Relation:
- Conference: 15. computer security group training conference: mission possible - connected and protected,Albuquerque, NM (United States),3-6 May 1993; Other Information: PBD: Mar 1993
- Country of Publication:
- United States
- Language:
- English
Similar Records
A Unix system decision aiding tool for detecting network intrusions
Verifying the secure setup of Unix client/servers and detection of network intrusion