Abstraction-based intrusion detection in distributed environments
ACM Transactions on Information and System Security (TISSEC)
Designing a Web of Highly-Configurable Intrusion Detection Sensors
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
D-SCIDS: distributed soft computing intrusion detection system
Journal of Network and Computer Applications - Special issue: Network and information security: A computational intelligence approach
A fast host-based intrusion detection system using rough set theory
Transactions on Rough Sets IV
Design and implementation of a decentralized prototype system for detecting distributed attacks
Computer Communications
Trustworthy placements: Improving quality and resilience in collaborative attack detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
The Reliable Software Group at UCSB has developed a new approach to representing computer penetrations. This approach models penetrations as a series of state transitions described in terms of signature actions and state assertions. State transition representations are written to correspond to the states of an actual computer system, and they form the basis of a rule-based expert system for detecting penetrations. The system is called the State Transition Analysis Tool (STAT). On a network filesystem where the files are distributed on many hosts and where each host mounts directories from the others, actions on each host computer need to be audited. A natural extension of the STAT effort is to run the system on audit data collected by multiple hosts. This means an audit mechanism needs to be run on each host. However, running an implementation of STAT on each host would result in inefficient use of computer resources. In addition, the possibility of having cooperative attacks on different hosts would make detection difficult. Therefore, for the distributed version of STAT, called NSTAT, there is a single STAT process with a single, chronological audit trail. We are currently designing a client/server approach to the problem. The client side has two threads: a producer that reads and filters the audit trail and a consumer that sends it to the server. The server side merges the filtered information from the various clients and performs the analysis.