This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
State Transition Analysis: A Rule-Based Intrusion Detection Approach
March 1995 (vol. 21 no. 3)
pp. 181-199
This paper presents a new approach to representing and detecting computer penetrations in real-time. The approach, called state transition analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for and the compromise of a penetration and present only the critical events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule-based expert system for detecting penetrations, called the state transition analysis tool (STAT). The design and implementation of a UNIX-specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly, STAT is compared to the functionality of comparable intrusion detection tools.

[1] J. P. Anderson Co.,Computer Security Threat Monitoring and Surveillance. Fort Washington, PA, Apr. 1980.
[2] M. Bishop,Security Problem with the UNIX Operating System[Restricted Distribution], Dep. Comput. Sci., Purdue Univ., West Lafayette, IN, Apr. 1982.
[3] K. Chen, S. C. Lu, and H. S. Teng,“Adaptive real-time anomaly detection using inductively generated sequential patterns,”inProc. IEEE Symp. Res. Security, Privacy, Oakland, CA, May 1990, pp. 278–295.
[4] H. Debar, M. Becker, and D. Siboni,“A neural network component for an intrusion detection system,”inProc. IEEE Symp. Res. Security, Privacy, Oakland, CA, May 1992, pp. 240–258,
[5] D. E. Denning and P. G. Neumann,“Requirements and model for IDES—A real-time intrusion detection expert system,”Tech. Rep., CSL, SRI Int., Aug. 1985.
[6] A. V. Discolo,4.2 BSD UNIX Security, [Restricted Distribution], Comput. Sci. Dep., Univ. Calif., Santa Barbara, Apr. 1985.
[7] D. Farmer and E. H. Spafford,“The COPS security checker system,”inProc Summer 1990 Usenix Conf., Anaheim, CA, June 1990, pp. 305–312.
[8] T. D. Garvey and T. F. Lunt,“Model-based intrusion detection,”inProc. 14th Nat. Comput. Security Conf., Baltimore, MD, Oct. 1991, pp. 372–385.
[9] L. R. Halme, T. F. Lunt, and J. Van Horne,“Analysis of computer system audit trails—Intrusion classification,”Sytek Tech. Rep. TR-85012, Mountain View, CA, Oct. 1985.
[10] B. Hubbardet al.,“Computer system intrusion detection,”Final Tech. Rep. RADC-TR-90-413, Trusted Inform. Syst., Inc., Dec. 1990.
[11] K. A. Jackson, D. H. DuBois, and C. A. Stalling,“An expert system application for network intrusion detection,”inProc. 14th Nat. Comput. Security Conf.(Baltimore, MD), Oct. 1991, pp. 215–225.
[12] H. S. Javitz and A. Valdes,“The SRI IDES statistical anomaly detector,”inProc. IEEE Res. Security, Privacy(Oakland, CA), May 1991, pp. 316–376.
[13] P. Kerchenet al.,“Static analysis virus detection tools for UNIX systems,”inProc. 13th Nat. Comput. Security Conf., Baltimore, MD, Oct. 1990, pp. 350–365.
[14] K. Ilgun,“USTAT: A real-time intrusion detection system for UNIX,”M.S. thesis, Comput. Sci. Dep., Univ. California, Santa Barbara, July 1992.
[15] K. Ilgun,“USTAT: A real-time intrusion detection system for UNIX,”inProc. IEEE Symp. Res. Security, Privacy, Oakland, CA, May 1993, pp. 16–28.
[16] T. F. Lunt,“Automated audit trail analysis and intrusion detection: A survey,”inProc. 11th Nat. Comput. Security Conf., Baltimore, MD, Oct. 1988, pp. 65–73.
[17] T. F. Lunt,“Real-time intrusion detection,”inProc. COMPCON, San Francisco, CA, Feb. 1989.
[18] T. F. Lunt, R. Jagannathan, R. Lee, and A. Whitehurst,“Knowledge-based intrusion detection,”inProc. 1989 AI Syst. Government Conf., Mar. 1989, pp. 102–107.
[19] T. F. Luntet al.,“A real-time intrusion detection expert system,”SRI CSL Tech. Rep. SRI-CSL-90-05, June 1990.
[20] T. F. Luntet al.,“A real-time intrusion detection expert system (IDES),”Final Tech. Rep., Comput. Sci. Laboratory, SRI Int., Menlo Park, CA, Feb. 1992.
[21] J. Martin and S. Oxman,Building Expert Systems: A Tutorial. Englewood Cliffs, NJ: Prentice-Hall, 1988.
[22] N. J. McAuliffeet al.,“Is your computer being misused? A survey of current intrusion detection system technology,”inProc. Sixth Comput. Security Applicat. Conf., Dec. 1990, pp. 260–272.
[23] B. G. Miller and P. E. Proctor,“A requirements oriented analysis of computer misuse detection systems,”presented at the Seventh Intrusion Detection Workshop, SRI Int., Menlo Park, CA, May 1991.
[24] National Computer Security Center,Trusted Computer System Evaluation Criteria, DoD, DoD 5200.28-STD, Dec. 1985.
[25] National Computer Security Center,A Guide to Understanding Audit in Trusted Systems, NCSC-TG-01, Version 2, June 1988.
[26] National Computer Security Center,Glossary of Computer Security Terms, NCSC-TG-004, Version 1, Oct. 1988.
[27] P. G. Neumann,“A comparative anatomy of computer system/network anomaly detection systems,”CSL, SRI BN-168, Menlo Park, CA, May 1990.
[28] P. A. Porras and R. A. Kemmerer,“Penetration state transition analysis: A rule-based intrusion detection approach,”inProc. Eighth Ann. Comput. Security Applicat. Conf., San Antonio, TX, Dec. 1992, pp. 220–229.
[29] P. A. Porras,“STAT—A state transition analysis tool for intrusion detection,”M.S. thesis, Comput. Sci. Dep., Univ. California, Santa Barbara, June 1992.
[30] M. M. Sebring, E. Shellhouse, M. E. Hanna, and R. A. Whitehurst,“Expert system in intrusion detection: A case study,”inProc. 11th Nat. Comput. Security Conf., Baltimore, MD, Oct. 1988, pp. 74–81.
[31] S. W. Shieh and V. D. Gligor,“A pattern-oriented intrusion detection model and its application,”inProc. IEEE Res. Security, Privacy, Oakland, CA, May 1991, pp. 327–342.
[32] Sun Microsystems, Inc., SunOS Release 4.1.1. C2-BSM Patch, Revision A, Mountain View, CA, 1991.
[33] UNIX Programmer's Manual, 4.2 Berkeley Software Distribution, Virtual VAX-11 Version, Comput. Sci. Div., Dep. Elec., Comput. Sci., Univ. California, Berkeley, Aug. 1983.
[34] H. S. Vaccaro and G. E. Liepins,“Detection of anomalous computer session activity,”inProc. IEEE Symp. Res. Security, Privacy, Oakland, CA, May 1989, pp. 280–289.

Index Terms:
Security, intrusion detection, expert systems
Citation:
Koral Ilgun, Richard A. Kemmerer, Phillip A. Porras, "State Transition Analysis: A Rule-Based Intrusion Detection Approach," IEEE Transactions on Software Engineering, vol. 21, no. 3, pp. 181-199, March 1995, doi:10.1109/32.372146
Usage of this product signifies your acceptance of the Terms of Use.