IDIOT dissertation

Gene Spafford (spaf@cs.purdue.edu)
Fri, 21 Jul 1995 17:43:39 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Justin J. Lister: "Searching for reference"
Previous message: Justin J. Lister: "Searching for reference"

(great subject, eh? :-)

My senior student in the COAST group, Sandeep Kumar, deposited his PhD
dissertation two days ago.  It is on his development of the IDIOT
(Intrusion Detection In Our Time) theory and prototype, although he
kept from using the name in the dissertation itself.

The dissertation is available through our publications WWW page:
	http://www.cs.purdue.edu/coast/coast-library.html
It is also available for ftp as:
	ftp://coast.cs.purdue.edu/pub/COAST/papers/kumar-intdet-phddiss.ps.Z

The abstract follows:

Classification and Detection of Computer Intrusions
by Sandeep Kumar, 1995
Advisor: Eugene H. Spafford
Department of Computer Sciences, Purdue University

Some computer security breaches cannot be prevented using access and
information flow control techniques. These breaches may be a consequence
of system software bugs, hardware or software failures, incorrect system
administration procedures, or failure of the system authentication
module. Intrusion detection techniques can have a significant role in the
detection of computer abuse in such cases.

This dissertation describes a pattern matching approach to representing
and detecting intrusions, a hitherto untried approach in this field. We
have classified intrusions on the basis of structural interrelationships
among observable system events.  The classification formalizes detection
of specific exploitations by examining their manifestations in the system
event trace. Thus, we can talk about intrusion signatures belonging to
particular categories in the classification, instead of vulnerabilities
that result in intrusions.

The classification developed in this dissertation can also be used for
developing computational models to detect intrusions in each category by
exploiting the common structural interrelationships of events comprising
the signatures in that category.  We can then look at signatures of
interest that can be matched efficiently, instead of attempting to devise
a comprehensive set of techniques to detect any violation of the security
policy. We define and justify a computational model in which intrusions
from our classification can be represented and matched. We also present
experimental results based on an implementation of the model tested
against real-world intrusions.

Next message: Justin J. Lister: "Searching for reference"
Previous message: Justin J. Lister: "Searching for reference"