| It is well-known that it is difficult, perhaps impossible, to build a useful system which is absolutely secure. Furthermore, it is impractical to assume that the vast existing infrastructure of (possibly insecure) computer and network systems will be scrapped in favor of new, secure systems, and such systems may still be vulnerable to insiders misusing their privileges. Intrusion detection has therefore been proposed as the last line of defense to provide security in computer systems. This dissertation studies a model for misuse intrusion detection.; The goal of intrusion detection is to identify, preferably in real time, unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. A typical misuse detection system consists of a language for describing known techniques, called misuse signatures , of attackers, and monitoring programs for detecting the presence of attacks based on these signatures. In most systems, however, misuse signatures are often described in terms of a low-level language, e.g., audit records, that either has limited expressiveness or is difficult to use. Moreover, monitoring algorithms are often fixed and are not easy to adapt to changes in the operating environment or of the objectives of the site security officer. This dissertation describes an approach which is aimed at a highly adaptable intrusion detection system. The key idea is to use a formally defined high-level language to describe abstract misuse signatures (MuSigs). This language allows a specification of misuse signatures in a way that is invariant under certain transformations of attack scenarios. A MuSig represents a misuse pattern abstractly rather than in terms of records in an audit trail; hence it is more expressive. Also, it allows an intuitive adjustment of the behavior of the monitoring programs. This adjustment is done through a set of directives available to the site security officer. The directives are classified into two types: the system directives are used to map between the abstract MuSigs and the low-level audit records, and the adapting directives are used to lend flexibility to the monitoring strategies. Furthermore, this dissertation develops a cost model to predict the execution time of monitoring strategies so that the site security officer is able to preview the system behavior under different adjustments. Experiments show that the estimates under the cost model highly correlate with the real execution times for a variety of misuse signatures. |
