IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Windows NT event logging
Inside Windows NT
Benchmarking Anomaly-Based Detection Systems
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Specification and Modeling of Dynamic, Distributed Real-Time Systems
RTSS '98 Proceedings of the IEEE Real-Time Systems Symposium
Hi-index | 0.00 |
There is good reason to base intrusion detection on data from the host. Unfortunately, most operating systems do not provide all the data needed in readily available logs. Ironically, perhaps, Window NT and its successor, Windows 2000, provide much of the necessary data, at least for security events. We have developed a host-based intrusion detector for these platforms that meets the generally accepted criteria for a good Intrusion Detection System. Its architecture is sufficiently flexible to meet these criteria largely by relying on native mechanisms. Where there are identified gaps in the data from the native security event log, they can be filled by data from other sensors by using the same event-logging interface. The IDS will also terminate unauthorized processes, delete unauthorized files, and restore deleted or modified files continually without lengthy recovery due to compromise. We call this feature Continual Repair. It is an existence proof that self-regenerative systems are possible.