NADIR: A prototype system for detecting network and file system abuse
This paper describes the design of a prototype computer misuse detection system for the Los Alamos Notional Laboratory`s Integrated Computing Network (ICN). This automated expert system, the Network Anomaly Detection and Intrusion Reporter (NADIR), streamlines and supplements the manual audit record review traditionally performed by security auditors. NADIR compares network activity, as summarized in weekly profiles of individual users and the ICN as a whole, against expert rules that define security policy, improper or suspicious behavior, and normal user activity. NADIR reports suspicious behavior to security auditors and provides tools to aid in follow-up investigations. This paper describes analysis by NADIR of two types of ICN activity: user authentication and access control, and mass file storage. It highlights system design issues of data handling, exploiting existing auditing systems, and performing audit analysis at the network level.
- Research Organization:
- Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)
- Sponsoring Organization:
- USDOE, Washington, DC (United States)
- DOE Contract Number:
- W-7405-ENG-36
- OSTI ID:
- 10187351
- Report Number(s):
- LA-UR-92-3214; CONF-9211108-1; ON: DE93000861
- Resource Relation:
- Conference: 7. European conference on information systems security, audit, and control,Brussels (Belgium),16-18 Nov 1992; Other Information: PBD: [1992]
- Country of Publication:
- United States
- Language:
- English
Similar Records
NADIR (Network Anomaly Detection and Intrusion Reporter): A prototype network intrusion detection system
UNICORN: Misuse detection for UNICOS