This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
On a Pattern-Oriented Model for Intrusion Detection
July-August 1997 (vol. 9 no. 4)
pp. 661-667

Abstract—Operational security problems, which are often the result of access authorization misuse, can lead to intrusion in secure computer systems. We motivate the need for pattern-oriented intrusion detection, and present a model that tracks both data and privilege flows within secure systems to detect context-dependent intrusions caused by operational security problems. The model allows the uniform representation of various types of intrusion patterns, such as those caused by unintended use of foreign programs and input data, imprudent choice of default privileges, and use of weak protection mechanisms. As with all pattern-oriented models, this model cannot be used to detect new, unanticipated intrusion patterns that could be detected by statistical models. For this reason, we expect that this model will complement, not replace, statistical models for intrusion detection.

[1] A Guide to Understanding Audit in Trusted Systems, NCSC-TG-001 Version 2, June 1988.
[2] R.W. Baldwin, "Rule Based Analysis of Computer Security," technical report, Massachusetts Inst. of Tech nology, Mar. 1988.
[3] D.S. Bauer and M.E. Koblentz, "NIDX—A Real-Time Intrusion Detection Expert System," Proc. Summer Usenix,San Francisco, pp. 261-273, June 1988.
[4] M. Bishop, "Security Problems with the Unix Operating System," technical report, Dept. of Computer Sciences, Purdue Univ., West Lafayette, Ind., pp. 1-28, 1983.
[5] M. Bishop, "How To Write a Setuid Program," Proc. Winter Usenix, vol. 12, no. 1, pp. 5-11, 1987
[6] M. Bishop, "Theft of Information in the Take-Grant Protection Model," Proc. Computer Security Foundations Workshop,Franconia, N.H., pp. 194-218, June 1988.
[7] A.R. Clyde, "Insider Threat Identification Systems," Proc. 10th National Computer Security Conf.,Baltimore, pp. 343-356, Oct. 1987.
[8] D.E. Denning, “An Intrusion-Detection Model,” IEEE Trans. Software Eng., vol. 13, pp. 222–232, Feb. 1987.
[9] T.D. Garvey and T.F. Lunt, "Model-Based Intrusion Detection," Proc. 14th Nat'l Computer Security Conf.,Washington D.C., Oct. 1991.
[10] V.D. Gligor et al., "Design and Implementation of Secure XENIX," IEEE Trans. Software Eng., vol. 13, no. 2, pp. 208-221, Feb. 1987.
[11] K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Trans. Software Eng., vol. 21, no. 3, pp. 181–199, 1995.
[12] H.S. Javitz and A. Valdes, “The Sri Ides Statistical Anomaly Detector,” Proc. IEEE Computer Society Symp. Security and Privacy, May 1991.
[13] T.F. Lunt and R. Jagannathan, "A Prototype Real Time Intrusion Detection Expert System," Proc. IEEE Symp. Security and Privacy,Oakland, Calif., pp. 59-66, Apr. 1988.
[14] T.F. Lunt, "Automated Audit Trail Analysis and Intrusion Detection: A Survey," Proc. 11th Nat'l Computer Security Conf.,Baltimore, pp. 65-73, Oct. 1988.
[15] S.P. Shieh and V.D. Gligor, "A Pattern-Oriented Intrusion Detection System and Its Applications," Proc. IEEE Symp. Research in Security and Privacy,Oakland, Calif., pp. 327-342, May 1991.
[16] S.E. Smaha, "Haystack: An Intrusion Detection System," Proc. Fourth Aerospace Computer Security Application Conf.,Orlando, Fla., pp. 37-44, Dec. 1988.
[17] M. Sebring, E. Shellhouse, and M. Hanna, "Expert Systems in Intrusion Detection: A Case Study," Proc. 11th Nat'l Computer Security Conf.,Baltimore, pp. 74-81, Oct. 1988.
[18] L. Snyder, "Theft and Conspiracy in the Take-Grant Protection Model," J. Computer and System Sciences, vol. 23, pp. 333-347, Dec. 1981.
[19] S.H. Teng, K. Chen, and S.C. Lu, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," Proc. IEEE Symp. Research in Security and Privacy,Oakland, Calif., pp. 278-284, May 1990.
[20] H.S. Vaccaro and G.E. Liepins, "Detection of Anomalous Computer Session Activity," Proc. IEEE Symp. Security and Privacy,Oakland, Calif., pp. 280-289, May 1989.

Index Terms:
Access misuse, audit analysis, context-dependent intrusion, intrusion detection, operational security problems, statistical methods, rule-based methods, secure systems.
Citation:
Shiuh-Pyng Shieh, Virgil D. Gligor, "On a Pattern-Oriented Model for Intrusion Detection," IEEE Transactions on Knowledge and Data Engineering, vol. 9, no. 4, pp. 661-667, July-Aug. 1997, doi:10.1109/69.617059
Usage of this product signifies your acceptance of the Terms of Use.