----------------------------------------------------------------------- System Name: ASAX (Advanced Security audit trail Analysis on uniX) Institution: Facultes Universitaires ND de la Paix. Institut d'Informatique Contact Reference: A. Mounji Institut d'Informatique, rue Grandgagnage, 21 B-5000 Namur Belgium Tel: +32 81 724987 (Office) +32 81 221803 (Home) Fax: +32 81 724967 E-mail: amo@info.fundp.ac.be Author(s): B. Le Charlier, A. Mounji, N. Habra, I. Mathieu Project Start Date: Nov 1991 Project Finish Date: still on the track System Environment(s): ASAX system runs on many unix machines (SunOS, Ultrix, Sinix, ...). Version Info: V 1.0 Keywords: audit trail, rule-based language, pattern recognition, anomaly detection. Brief System Description: ASAX aims at providing an advanced tool to support security audit trail analysis. One key feature of ASAX is its elegant architecture built on top of a universal analysis tool allowing any audit trail to be analyzed after a straight format adaptation. Another key feature of the ASAX project is the language RUSSEL used to express queries on audit trails. RUSSEL (RUle baSed Sequence Evaluation Language) is a rule-based language which is tailor-made for the analysis of sequential files in one and only one pass. The conception of RUSSEL makes a good compromise with respect to the needed efficiency on the one hand and to the suitable declarative look on the other hand. The language is used for detecting real world security violations such as sequence of failed logins, unauthorized file access, creation of suspicious setuid files, trojan programs, system files corruptions, etc. The tool also support on-line detection by analyzing audit records on the fly.