STAT -- A State Transition Analysis Tool For Intrusion Detection

Quantified Score

Visualization

Abstract

This thesis proposes a new approach to representing computer penetrations and applies the approach to the development of a real-time intrusion detection tool. The approach, referred to as penetration state transition analysis, views a penetration as a sequence of state changes that lead a computer system from an initial prerequisite state to a target compromised state. State transitions are defined in terms of critical actions and assertions that describe the pre- and post-action states of the system. A state transition diagram, which is the graphical representation of state transition analysis, identifies precisely the requirements and compromise of a penetration and lists only those critical events that must occur for the successful completion of the penetration. The State Transition Analysis Tool (STAT) is an advanced rule-based expert system that analyzes the audit trails of multi-user computer systems in search of impending security violations. STAT represents state transition diagrams within its rule-base and uses them to seek out those state transitions within the target system that correspond to known penetration scenarios. Unlike comparable analysis tools that pattern match sequences of audit records to the expected audit trails of known penetrations, STAT rules focus on the effects that the individual steps of a penetration have on the state of the computer system. The resulting rule-base is not only more intuitive to read and update than current penetration rule-bases, but also provides greater functionality to detect impending compromises.