State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
Intrusion detection with neural networks
NIPS '97 Proceedings of the 1997 conference on Advances in neural information processing systems 10
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Hiding Intrusions: From the Abnormal to the Normal and Beyond
IH '02 Revised Papers from the 5th International Workshop on Information Hiding
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A model based reasoning approach for generating plausible crime scenarios from evidence
ICAIL '03 Proceedings of the 9th international conference on Artificial intelligence and law
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Intrusion detection using sequences of system calls
Journal of Computer Security
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
AWDRAT: a cognitive middleware system for information survivability
IAAI'06 Proceedings of the 18th conference on Innovative applications of artificial intelligence - Volume 2
| Hi-index | 0.00 |
We argue in favor of the explicit inclusion of suspicion as a concrete concept to be used in the analysis of audit data in order to guide the search for evidence of misuse. Our approach is similar to that of a human forensic analyst, who first notices details that seem slightly odd, and then investigates further and cross checks information in an attempt to build a coherent explanation for the observed details. We use deductive reasoning combined with expert knowledge about system behavior, potential attacks and evidence, and patterns of suspicion to link individual clues together in an automated way.A prototype implementation that was designed based on these considerations is presented, including details of how suspicions and deductions are represented, and how these structures are updated as new evidence is discovered. Finally, we describe how this algorithm performs in practice on a realistic example where five discrete pieces of evidence are brought together automatically to create a unified and coherent description of what is believed to have occurred.