scispace - formally typeset
Search or ask a question

Showing papers on "Intrusion detection system published in 1995"


Journal ArticleDOI
TL;DR: The paper presents a new approach to representing and detecting computer penetrations in real time, called state transition analysis, which models penetrations as a series of state changes that lead from an initial secure state to a target compromised state.
Abstract: The paper presents a new approach to representing and detecting computer penetrations in real time. The approach, called state transition analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for and the compromise of a penetration and present only the critical events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule based expert system for detecting penetrations, called the state transition analysis tool (STAT). The design and implementation of a Unix specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly, STAT is compared to the functionality of comparable intrusion detection tools. >

844 citations


01 Jan 1995
TL;DR: This paper presents a software architecture for structuring a pattern matching solution to misuse intrusion detection based on Colored Petri Nets, and describes the abstract classes encapsulating generic functionality and the inter-relationships between the classes.
Abstract: Misuse Intrusion Detecl.ion has traditionally been understood in the literature as the detection of specific, precisely representable techniques of computer system abuse. Pattern matching is well disposed to the representation and detection of such abuse. Each specific method of abuse can be represented as a pattern and many of these can be matched simultaneously against the audit logs generated by the as kernel. Using relatively high level patterns to specify computer system abuse relieves the pattern writer from having to understand and encode the intricacies of pattern matching into a misuse detector. Patterns represent. a declarative way ofspecifying what needs Lo be detected, instead of specifying how it should be detected. We have devised a model of matching based on Colored Petri Nets specifically targeted for misuse intrusion detection. In this paper we present a software architecture for structuring a pattern matching solution to misuse intrusion detection. In the context of an object oriented prototype implementation we describe the abstract classes encapsulating generic functionality and the inter-relationships between the classes.

246 citations


01 Jan 1995
TL;DR: This paper shows how an intrusion detection system can be implemented using autonomous agents, and how these agents can be built using Genetic Programming and Automatically Defined Functions (ADFs) can be used to evolve genetic programs that contain multiple data types and yet retain type-safety.
Abstract: This paper presents a potential solution to the intrusion detection problem in cmnputer security. It uses a combination of work in the fields of Artificial Life and computer security. It shows how an intrusion detection system can be implemented using autonomous agents, and how these agents can be built using Genetic Programming. It also shows how Automatically Defined Functions (ADFs) can be used to evolve genetic programs that contain multiple data types and yet retain type-safety. Future work arising from this is also discussed.

222 citations



Patent
28 Mar 1995
TL;DR: In this article, an intelligent area monitoring system having a field sensor, a neural network computer, and a communications apparatus is disclosed, which has the capability of detecting and monitoring the location and identity of people, animals, and objects within an indoor or outdoor area for the purpose of intrusion detection, theft deterrence, and accident prevention.
Abstract: An intelligent area monitoring system having a field sensor, a neural network computer, and a communications apparatus is disclosed. The system has the capability of detecting and monitoring the location and identity of people, animals, and objects within an indoor or outdoor area for the purpose of intrusion detection, theft deterrence, and accident prevention. The neural network computer accepts the input signals from the field sensor and forms a virtual model of the monitored area from the input. Any changes that occur within the monitored area are communicated to system users. The sensors can be active or passive, analog or binary, and the system is optimally configured with a mix of different sensor types such as vibration, sound, infrared, optical, microwave, and ultrasonic. Each analog sensor provides an analog output which varies in proportion to the size and distance of its target. After monitoring changes in the space being monitored and identifying various objects within the space, the neural network computer communicates such information to the user.

96 citations


Proceedings ArticleDOI
16 Feb 1995
TL;DR: An implemented system for on-line analysis of multiple distributed data streams is presented, providing powerful network security monitoring and sophisticated tools for intrusion/anomaly detection thanks to its novel rule-based language (RUSSEL), specifically designed for efficient processing of sequential unstructured data streams.
Abstract: An implemented system for on-line analysis of multiple distributed data streams is presented. The system is conceptually universal since it does not rely on any particular platform feature and uses format adaptors to translate data streams into its own standard format. The system is as powerful as possible (from a theoretical standpoint) but still efficient enough for on-line analysis thanks to its novel rule-based language (RUSSEL) which is specifically designed for efficient processing of sequential unstructured data streams. The generic concepts are applied to security audit trail analysis. The resulting system provides powerful network security monitoring and sophisticated tools for intrusion/anomaly detection. The rule-based and command languages are described as well as the distributed architecture and the implementation. Performance measurements are reported, showing the effectiveness of the approach. >

65 citations


Proceedings ArticleDOI
18 Oct 1995
TL;DR: A range of fibre optic sensors are used in intrusion detection where the natural benefits of the material are matched by parallel developments in support technologies and applications experience.
Abstract: For many years optical fibre was the answer looking for the question. Now, after years of product applications and continued development, a range of fibre optic sensors are used in intrusion detection where the natural benefits of the material are matched by parallel developments in support technologies and applications experience. This paper describes some developments and applications in sensors and systems.

22 citations



Journal ArticleDOI
TL;DR: In conclusion, neural networks were proved to be efficient and practical devices for computer virus recognition and classification, in certain environments.

21 citations


01 Nov 1995
TL;DR: A learning architecture based on Variable-Valu ed Logic, the Star Methodology, and the AQ algorithm is proposed that shows significant advantages in learning speed and memory requirements with only slight decreases in predictive accuracy and concept simplicity when compared to traditional batch-style learning.
Abstract: This paper addresses the problem of learning evolving concepts, that is, concepts whose meaning gradually evolves in time Solving this problem is important to many applications, for example, building intelligent agents for helping users in Internet search, active vision, automatically updating knowledge-bases, or acquiring profiles of users of telecommunication networks Requirements for a learning architecture supporting such applications include the ability to incrementally modify concept definitions to accommodate new information, fast learning and recognition rates, low memory needs, and the understandability of computer-created concept descriptions To address these requirements, we propose a learning architecture based on Variable-Valu ed Logic, the Star Methodology, and the AQ algorithm The method uses a partial-memory approach, which means that in each step of learning, the system remembers the current concept descriptions and specially selected representative examples from the past experience The developed method has been experimentally applied to the problem of computer system intrusion detection The results show significant advantages of the method in learning speed and memory requirements with only slight decreases in predictive accuracy and concept simplicity when compared to traditional batch-style learning in which all training examples are provided at once

19 citations


Journal ArticleDOI
TL;DR: It is shown how the model can be used to help in setting optimal intrusion-detection thresholds, which will provide the best intrusion coverage with the minimum false positive rate.

Proceedings ArticleDOI
05 Nov 1995
TL;DR: The proposed partial-memory incremental learning method is applied to the problem of computer intrusion detection in which symbolic profiles are learned for a computer system's users at the expense of slightly lower predictive accuracy and higher concept complexity, when compared to batch learning.
Abstract: This paper describes a partial-memory incremental learning method based on the AQ15c inductive learning system. The method maintains a representative set of past training examples that are used together with new examples to appropriately modify the currently held hypotheses. Incremental learning is evoked by feedback from the environment or from the user. Such a method is useful in applications involving intelligent agents acting in a changing environment, active vision, and dynamic knowledge-bases. For this study, the method is applied to the problem of computer intrusion detection in which symbolic profiles are learned for a computer system's users. In the experiments, the proposed method yielded significant gains in terms of learning time and memory requirements at the expense of slightly lower predictive accuracy and higher concept complexity, when compared to batch learning, in which all examples are given at once.

Proceedings ArticleDOI
08 Dec 1995
TL;DR: The UNICOS Real-time NADIR, or UNICORN, summarizes user activity and system configuration information in statistical profiles and can compare current activity to historical profiles and test activity against expert rules that express security policy and define improper or suspicious behavior.
Abstract: An effective method for detecting computer misuse is the automatic auditing and analysis of on-line user activity. This activity is reflected in the system audit record, by changes in the vulnerability posture of the system configuration, and in other evidence found through active testing of the system. In 1989 we started developing an automatic misuse detection system for the Integrated Computing Network (ICN) at Los Alamos National Laboratory. Since 1990 this system has been operational, monitoring a variety of network systems and services. We call it the Network Anomaly Detection and Intrusion Reporter, or NADIR. During the last year and a half, we expanded NADIR to include processing of audit and activity records for the Cray UNICOS operating system. This new component is called the UNICOS Real-time NADIR, or UNICORN. UNICORN summarizes user activity and system configuration information in statistical profiles. In near real-time, it can compare current activity to historical profiles and test activity against expert rules that express our security policy and define improper or suspicious behavior. It reports suspicious behavior to security auditors and provides tools to aid in follow-up investigations. UNICORN is currently operational on four Crays in Los Alamos' main computing network, the ICN.

Journal ArticleDOI
TL;DR: This article presents a multivariate data analysis technique that is a nice mathematical tool for the analysis of user behavior patterns in intrusion detection and presents a system that records all user activities in each login session and identifies abnormal sessions when the monitoring data are analyzed.

Proceedings ArticleDOI
16 May 1995
TL;DR: The development of integrated circuit fabrication techniques and the resulting devices have contributed more to the advancement of exterior intrusion detectors and alarm assessment devices than any other technology as mentioned in this paper, and the availability of this technology has led to the improvements in and further development of smaller more powerful computers, microprocessors, solid-state memories, solid state cameras, thermal imagers, low power lasers, and shorter pulse width and higher frequency electronic circuitry.
Abstract: The development of integrated circuit fabrication techniques and the resulting devices have contributed more to the advancement of exterior intrusion detectors and alarm assessment devices than any other technology. The availability of this technology has led to the improvements in and further development of smaller more powerful computers, microprocessors, solid state memories, solid state cameras, thermal imagers, low-power lasers, and shorter pulse width and higher frequency electronic circuitry. This paper presents information on planning a perimeter intrusion detection system, identifies the site characteristics that affect its performance, and describes improvements to perimeter intrusion detection sensors and assessment devices that have been achieved by using integrated circuit technology.

01 Mar 1995
TL;DR: Experimental results suggest that AQ15c has several advantages over other methods in terms of predictive accuracy, incremental learning, learning and recognition times, the types of concepts induced by the method, and thetypes of data from which these methods can learn.
Abstract: This paper discusses work in progress and introduces a partial memory incremental learning methodology. The incremental learning architecture uses hypotheses induced from training examples to determine representative examples, which are maintained for future learning. Criticism and reinforcement from the environment or the user invoke incremental learning once the system is deployed. Such an architecture and development methodology is necessary for applications involving intelligent agents, active vision, and dynamic knowledge-bases. For this study, the methodology is applied to the problem of computer intrusion detection. Several experimental comparisons are made using batch and incremental learning between AQ15c, a feed-forward neural network, and k-nn. Experimental results suggest that AQ15c has several advantages over other methods in terms of predictive accuracy, incremental learning, learning and recognition times, the types of concepts induced by the method, and the types of data from which these methods can learn.

Proceedings ArticleDOI
01 Sep 1995
TL;DR: A highly adaptive video motion detection and tracking algorithm that provides good performance under stressing data and environmental conditions is described.
Abstract: Studies show that vigilance decreases rapidly after several minutes when human operators are required to search live video for infrequent intrusion detections. Therefore, there is a need for systems which can automatically detect targets in live video and reserve the operator`s attention for assessment only. Thus far, automated systems have not simultaneously provided adequate detection sensitivity, false alarm suppression, and ease of setup when used in external, unconstrained environments. This unsatisfactory performance can be exacerbated by poor video imagery with low contrast, high noise, dynamic clutter, image misregistration, and/or the presence of small, slow, or erratically moving targets. This paper describes a highly adaptive video motion detection and tracking algorithm which has been developed as part of Sandia`s Advanced Exterior Sensor (AES) program. The AES is a wide-area detection and assessment system for use in unconstrained exterior security applications. The AES detection and tracking algorithm provides good performance under stressing data and environmental conditions. Features of the algorithm include: reliable detection with negligible false alarm rate of variable velocity targets having low signal-to-clutter ratios; reliable tracking of targets that exhibit motion that is non-inertial, i.e., varies in direction and velocity; automatic adaptation to both infrared and visible imagery with variable quality; and suppression of false alarms caused by sensor flaws and/or cutouts.

Proceedings ArticleDOI
18 Jun 1995
TL;DR: The simulator is used in order to test a generic intrusion detection architecture for mobile networks and the modular approach adopted for the GSM simulator and the functional architecture allow the network model part of the program to be easily ported to various applications.
Abstract: We present a mobile network simulator which has been developed in accordance to the GSM phase 1 technical specifications. The resulting platform is able to simulate the whole network as well as the mobile stations at the protocol level. The modular approach adopted for the GSM simulator and the functional architecture allow the network model part of the program to be easily ported to various applications. The simulator is used in order to test a generic intrusion detection architecture for mobile networks. Other applications based on the layer-3 signalling analysis could easily be implemented with such a platform.

Proceedings ArticleDOI
18 Oct 1995
TL;DR: The design and potential applications of a 360-degree scanning, multi-spectral intrusion detection sensor that simultaneously uses three sensing technologies (infrared, visible, and radar) along with advanced data processing methods to provide low false-alarm intrusion detection, tracking, and immediate visual assessment are presented.
Abstract: This paper presents an overview of the design and potential applications of a 360-degree scanning, multi-spectral intrusion detection sensor. This moderate-resolution, true panoramic imaging sensor is intended for exterior use at ranges from 50 to 1500 meters. This Advanced Exterior Sensor (AES) simultaneously uses three sensing technologies (infrared, visible, and radar) along with advanced data processing methods to provide low false-alarm intrusion detection, tracking, and immediate visual assessment. The images from the infrared and visible detector sets and the radar range data are updated as the sensors rotate once per second. The radar provides range data with one-meter resolution. This sensor has been designed for easy use and rapid deployment to cover wide areas beyond or in place of typical perimeters, and tactical applications around fixed or temporary high-value assets. AES prototypes are in development. Applications discussed in this paper include replacements, augmentations, or new installations at fixed sites where topological features, atmospheric conditions, environmental restrictions, ecological regulations, and archaeological features limit the use of conventional security components and systems.

Proceedings ArticleDOI
M. Horner1
18 Oct 1995
TL;DR: The aim of the AMETHYST project is to encourage the development of a high performance perimeter intrusion detection system by combining Intelligent Scene Monitoring or Video Motion Detection technology with another detection system to produce a detection system with a high probability of detection and low false alarm rate.
Abstract: The aim of the AMETHYST project (AutoMatic Event auTHentication SYSTems) is to encourage the development of a high performance perimeter intrusion detection system by combining Intelligent Scene Monitoring (ISM) or Video Motion Detection (VMD) technology with another detection system The two systems would complement each other to produce a detection system with a high probability of detection and low false alarm rate The performance of Perimeter Intrusion Detection Systems (PIDS) is often poor at sites with long perimeters, with extreme weather conditions and requiring a high probability of detection Video based detection systems (ISM and VMD) are improving in sophistication and performance Despite this there are still limitations with video based defection Firstly, it may be several years before the video PIDS achieve the performance required for long perimeters Secondly, when there is no video, for example in fog, there is no detection There is potential for combining video detection with another sensor to reduce the disadvantages of video whilst retaining its advantages A non-video SIDS would be used to detect intrusions On alarm a sequence of CCTV images would be captured by a loop framestore system A Targeted Automatic Verification Aid (TAVA) would then be used to decide if there was suspicious activity in the alarm sequence Many false alarms have no visible cause, so a TAVA would filter these out The false alarm rate would be lower than with a normal VMD as a TAVA would need to assess only alarm sequences If there is no video or it is too foggy the TAVA would 'fail safe' by signalling the alarm from the non-video PIDS A TAVA could use more sophisticated processing than a VMD and still be cheaper, because it could target the processing PSDB is planning to collect alarm sequences from sites with a non-video PIDS and a loop framestore connected to the CCTV system These sequences will be used to prove the concept and evaluate the performance of a TAVA

Book ChapterDOI
01 Jan 1995
TL;DR: It is the authors' opinion that the security community should draw on the techniques developed by the fault-tolerance community to a significant extent; presently, there seems to be less opportunity for transfer in the other direction.
Abstract: It is our opinion that the security community should draw on the techniques developed by the fault-tolerance community to a significant extent; presently, there seems to be less opportunity for transfer in the other direction. The fault-tolerance community has given significant attention to the development of systems where reliability is a key requirement which pervades all aspects of the design. Security, although clearly a requirement, is often achieved through retrofitting, e.g. intrusion detection, and firewalls.

Proceedings ArticleDOI
18 Oct 1995
TL;DR: The paper describes a highly adaptive video motion detection and tracking algorithm which has been developed as part of Sandia's Advanced Exterior Sensor (AES) program and provides good performance under stressing data and environmental conditions.
Abstract: Studies show that vigilance decreases rapidly after several minutes when human operators are required to search live video for infrequent intrusion detections. Therefore, there is a need for systems which can automatically detect targets in live video and reserve the operator's attention for assessment only. Thus far, automated systems have not simultaneously provided adequate detection sensitivity, false alarm suppression, and ease of setup when used in external, unconstrained environments. This unsatisfactory performance can be exacerbated by poor video imagery with low contrast, high noise, dynamic clutter, image misregistration, and/or the presence of small, slow, or erratically moving targets. The paper describes a highly adaptive video motion detection and tracking algorithm which has been developed as part of Sandia's Advanced Exterior Sensor (AES) program. The AES is a wide-area detection and assessment system for use in unconstrained exterior security applications. The AES detection and tracking algorithm provides good performance under stressing data and environmental conditions. Features of the algorithm include: reliable detection with negligible false alarm rate of variable velocity targets having low signal-to-clutter ratios; reliable tracking of targets that exhibit motion that is non-inertial, i.e., varies in direction and velocity; automatic adaptation to both infrared and visible imagery with variable quality; and suppression of false alarms caused by sensor flaws and/or cutouts.

Patent
20 Sep 1995
TL;DR: In this article, an intrusion detection frame is used to detect the approach of the contact operation of a touch panel and the location of the location, which is reported toward the operator's hearing sense.
Abstract: PROBLEM TO BE SOLVED: To provide an input device by which desired information can be easily and exactly inputted without depending on the sense of sight and an eyesight handicapped person can easily utilize an automation equipment, for example. SOLUTION: On a color liquid crystal display 20, a resistance sheet type touch panel 21 detecting the contact operation of an operator and the location is provided. This device is provided with an intrusion detection frame 22 optically detecting the approach of the contact operation of the touch panel 21 and the location. The operation guide information based on the detection of the intrusion detection frame 22 is reported toward the operator's hearing sense. COPYRIGHT: (C)1997,JPO


Proceedings ArticleDOI
18 Oct 1995
TL;DR: Repels is the initial product that was developed based on CWD technology and is a portable, rapid deployment line sensor that can be erected quickly over uneven terrain to provide a security perimeter.
Abstract: Coupled wave devices (CWDs) were developed as an alternative to leaky coaxial cables for use in perimeter guided radar detection systems. Leaky coaxial cable systems, when buried in the ground, provide a covert and all-terrain line of perimeter detection. When compared with a continuously radiating leaky coaxial cable, a CWD provides a discrete launching and reception of radio frequency (RF) "sensing" signals along a simple wire conductor. CWD sensors provide many benefits for above ground applications due to their inherent coupling efficiency, simplicity and uniform detection. Repels is the initial product that was developed based on this technology. It is a portable, rapid deployment line sensor that can be erected quickly over uneven terrain to provide a security perimeter. This paper briefly reviews the technical basis of this unique guided radar approach and discusses the technical advances. Since the introduction of the first sensor, several variations have been developed and/or introduced. S-Line and Fensor are two of these CWD-based sensors. S-Line is a permanent wall or roof-top line sensor that detects attempts at crossing an existing defined perimeter. It is able to provide detection with a single sensor over the complex three-dimensional geometry typical of a building facade. Fensor is a CWD-based sensor which provides its own inherent barrier. The perimeter detection capability of Fensor is built into an aesthetically pleasing, non-conductive fence structure suitable for new construction. Technical details, test site, and initial operational site experience for each of these alternatives are discussed.

01 Mar 1995
TL;DR: A simulator is developed which generates realistic audit logs that illustrate both non-malicious and malicious behavior and can be used to train system administrators in detecting computer security problems in system audit logs.
Abstract: : The problem addressed by this work was to reduce the time taken to train system administrators in detecting computer security problems in system audit logs. The approach taken was to develop a simulator which generates realistic audit logs that illustrate both non-malicious and malicious behavior. These logs can be used to train system administrators. The simulator was written in Prolog and used means-ends analysis to simulate seventeen combinations of general system functions which includes the following: logins, editing, file deletions, file copying, changing file access rights, obtaining superuser privileges, sending mail and logouts. The simulation manipulates virtual system files analogously to what real users do. This creates realistic audit file logs that include a mixture of normal and malicious activity. More impressive is that the entire source program requires only 19.1 kbytes of space, making it small enough to be compatible with a personal computer. (KAR) P. 2

01 Apr 1995
TL;DR: The Network Anomaly Detection and Intrusion Reporter, or NADIR, currently audits a Kerberos distributed authentication system, file activity on a mass, storage system, and four Cray supercomputers that run the UNICOS operating system.
Abstract: An effective method for detecting computer misuse is the automatic auditing and analysis of on-line user activity. This activity is reflected in system audit records, in system vulnerability postures, and in other evidence found through active system testing. Since 1989 we have implemented a misuse and intrusion detection system at Los Alamos. This is the Network Anomaly Detection and Intrusion Reporter, or NADIR. NADIR currently audits a Kerberos distributed authentication system, file activity on a mass, storage system, and four Cray supercomputers that run the UNICOS operating system. NADIR summarizes user activity and system configuration in statistical profiles. It compares these profiles to expert rules that define security policy and improper or suspicious behavior. It reports suspicious behavior to security auditors and provides tools to aid in follow-up investigations, As NADIR is constantly evolving, this paper reports its development to date.

Journal ArticleDOI
TL;DR: An overview of the main optical methods used today in the detection of fire, including optical smoke detection by light scattering and obscuration, as well as infrared flame detection, are presented.
Abstract: An overview of the main optical methods used today in the detection of fire is presented, including optical smoke detection by light scattering and obscuration, as well as infrared flame detection. Further, intrusion detection by detection of emitted infrared radiation of human bodies is discussed.

Patent
17 Feb 1995
TL;DR: In this paper, an installation for intrusion detection, of the type using radiating cables buried in the ground, is described, where the cables are buried in a concrete slab and, under the slab and under the cables, a metal plane is arranged, eliminating stray variations due to the subsoil.
Abstract: The invention relates to an installation for intrusion detection, of the type using radiating cables buried in the ground. In accordance with the invention, the cables (10, 11) are buried in a concrete slab (14) and, under the slab and under the cables, a metal plane (15) is arranged, eliminating stray variations due to the subsoil. The invention applies to intrusion protection, particularly human intrusion, for areas to be protected.

01 Jul 1995
TL;DR: The technologies commonly used to detect moving targets and some suggestions for detection of stationary targets are addressed in this paper.
Abstract: This paper presents a survey of technologies useful in providing early warning in physical security systems. Early warning is important in virtually all types of security systems whether they are used for temporary (tactical, portable, or semi-permanent) applications, border warning, fixed-site detection, or standoff surveillance detection. With the exception of the standoff surveillance detection systems, all systems discussed in this paper usually involve a moving target. The fact that a person(s) to be detected in a standoff surveillance scenario is not moving presents challenging problems and requires different applications of technology. The technologies commonly used to detect moving targets and some suggestions for detection of stationary targets are addressed in this paper.