A specification-based approach for intrusion detection by Yong Cai A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Computer Science Major Professor: R C Sekar Iowa State University Ames, Iowa 1999 ii Graduate College Iowa State University This is to certify that the Master’s thesis of Yong Cai has met the thesis requirements of Iowa State University Major Professor For the Major Program For the Graduate College iii TABLE OF CONTENTS ABSTRACT……………………………………………………………………………… V CHAPTER INTRODUCTION……………………………………………………… …1 1.1 Computer Security and Intrusion Detection .1 1.2 Our Approach .3 1.3 Key Contributions 1.4 Thesis Organization CHAPTER OVERALL APPROACH AND RELATED WORK…………… …………6 2.1 Behavioral Specifications Model .6 2.2 Detection System Model 2.3 Related Work 11 2.3.1 Misuse Intrusion Detection 12 2.3.2 Anomaly Intrusion Detection 13 2.3.3 Specification Based Monitoring 14 2.4 Benefits of Our Approach 15 CHAPTER ASL SPECIFICATION LANGUAGE………… ……………………… 17 3.1 External Functions 17 3.2 Events .18 3.3 Patterns .19 3.3.1 Atomic Patterns 19 3.3.2 Primitive Patterns .19 3.3.3 General Event Patterns 20 3.4 Rules 20 3.5 Event Abstractions 21 3.6 Example Specifications 22 CHAPTER ATOMIC EXECUTION… ……………………………………………… 25 4.1 Atomic Execution .26 4.2 Defining Readset/Writeset 26 4.3 Implementation Approach 27 iv 4.4 Some Examples of the Algorithm 29 4.5 Discussion of Correctness 30 CHAPTER TRANSLATION FROM ASL INTO AUTOMATON… ……………… 32 5.1 Translation Algorithm 32 5.2 Illustration of Automata Construction 40 5.3 Code Generation .42 5.4 Examples of ASL Specifications Translated into C++ Class Definitions 43 CHAPTER SUMMARY AND CONCLUSION……… ……………………………… 45 6.1 Effectiveness .45 6.2 Summary 46 6.3 Conclusion and Future Work 47 APPENDIX A CLASSIFICATION OF SYSTEM CALLS IN RED HAT LINUX… 49 APPENDIX B COMPILED CODE FOR ASL SPECIFICATIONOF FOR RACE VULNERABILITY ……………………………………………………………………….65 BIBLIOGRAPHY……………… ……………………………………………………….69 ACKNOWLEDGEMENTS ……………………………………………………………….72 v ABSTRACT People begin to pay increasing attention to computer security because computers play more and more important roles in our society A lot of critical services are heavily dependent on computers It is thus critical to make computer system highly robust and reliable Intrusion detection is a technique to enhance the computer security It can detect the successful breaches of security as well as monitor attempts to breach security This thesis presents a specification-based approach for intrusion detection The traditional intrusion detection methods have some problems The anomaly intrusion detection method detects intrusions based on anomalous behavior of a process It is difficult to set up the anomaly thresholds to define which behavior can be considered as an intrusion The misuse intrusion detection refers to intrusions that follow well-defined patterns of attack It cannot detect previously unknown attacks, since it is impossible to write some patterns for an unknown vulnerability Our approach uses high-level specifications to describe the security-related behaviors of processes These specifications are intended to capture normal or intended behaviors of processes Deviations from these specifications are indicative of intrusions Thus, attacks can be detected even though they may not have been encountered previously We design a highlevel language called Auditing Specification Language (ASL) to specify security-related behavior This language is powerful enough to express a range of integrity constraints and behaviors over time Specifications in ASL are compiled into optimized C++ programs for efficient detection of deviations from these specifications Our compiler will translate ASL specifications into an Extended Finite-State Automaton (EFSA) An EFSA is similar to a finite-state automaton with a set of state variables The EFSA can be simulated at runtime to detect intrusions efficiently Based on the past five years security problem published by CERT, we believe that our technique can capture most intrusions CHAPTER INTRODUCTION The growing use of computers make information and networking technologies play an increasingly important role in our society Many of the critical services such as telecommunication, commerce and banking, and transportation all depend heavily on the computer Along with the benefits brought about by this change, several new dangers arise Individuals and organizations can wreak havoc on these critical services by attacking their underlying computing and networking infrastructures Consequently, it becomes very important to build computer systems that are highly robust and resilient, so that they can continue to perform their critical functions even in the face of large-scale failures and malicious attacks 1.1 Computer Security and Intrusion Detection The terms of security and intrusion have been defined in many ways One broad definition of a secure computer system is given by Garfinkel and Spafford [GS91] as one that can be depended upon to behave as it is expected to The expected behavior is formalized into the security policy of the computer system and governs the goals that the system must meet A narrower definition of computer security is based on the realization of confidentiality, integrity, and availability in a computer system [RS91] Confidentiality requires that information be accessible only to those authorized for it; integrity requires that information remain unaltered by accidents or malicious attempts to change it; and availability means that the computer system remains working without degradation of access and provides resources to authorized users when they need it Intrusion is defined by Heady et al [HLMM91] as a set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource Or, in other words, we can say that an intrusion is a violation of the security policy of the systems Most computer systems provide an access control mechanism as their first line of defense [Lam69] Access control is often presented as the enforcement of policy described by an access matrix The columns of the matrix represent the operations that may be performed on the protected object or service, and each row represents a client For each client there is therefore a complete description of which operations that client may undertake, and likewise, for each operation we may enumerate all clients who have access The access matrix is conceptually simple and the majority of access control models are based on it However, access control cannot prevent unauthorized information flow through the system because such flow can take place with authorized accesses to the objects Information flow can be controlled to enhance security by applying models such as the Bell and LaPadula model [BL73] to provide secrecy, or the Biba model [Bib 77] to provide integrity However, security comes at the cost of convenience Both models restrict read and write operations to ensure the security so that the completely secure system may not be very useful Moreover, both access control and protection model are not helpful against inside threats or compromising of the authentication module For example, if a password is weak and is compromised, access control cannot prevent the loss of information that the compromised user was authorized to access In general, because of poor design or inadequate testing, faults in system software often manifest themselves as security weaknesses Intrusion detection systems fill this role They are useful not only in detecting successful breaches of security, but also in monitoring attempts to breach security, which provides important information for timely countermeasures For example, compared with access control, when a weak password is noticed, an intrusion detection system can monitor hacker attempts to guess the password, so that appropriate response action can be launched quickly Usually, intrusion detection can be considered the last line of defense against attacks 1.2 Our Approach Intrusion detection has been divided into two categories traditionally: anomaly intrusion detection and misuse intrusion detection The first refers to intrusions that can be detected based on anomalous behavior and use of computer resources For example, a user only uses the computer in his office time, an activity on his account in the midnight might be an intrusion Anomaly detection attempts to identify typical usage patterns and flag other activities as potential intrusions Anomaly detection has the advantage that no specific knowledge about security flaws is required to detect intrusion On the other hand, it is difficult to set up the anomaly thresholds to define which behavior can be considered as an intrusion Sometimes, an abnormal behavior is not an intrusion, maybe it is a situation we have never seen before At another time, a hacker is so smart that the intrusion behavior have different only slightly from the normal behavior Misuse intrusion detection refers to intrusions that follow well-defined patterns of attack that exploit weaknesses in system and application software Such patterns can be precisely written in advance This technique can guarantee the detection of an intrusion if a signature of the intrusion is described in advance to the intrusion detection system However, it cannot detect previously unknown attacks, since it is impossible to write a pattern for an unknown attack Ours is a specification-based approach We use high-level specifications to describe the security-related behaviors of processes These specifications are intended to capture normal or intended behaviors of processes Deviations from these specifications are indicative of intrusions Thus, attacks can be detected even though they may not have been encountered previously We notice that damage must eventually be effected via the system calls made by the attacked process to its operating-system environment In particular, operations for manipulating files or network connections are all administered through system calls So security-related behaviors can be represented in terms of the system calls made by each process running on the host We detect deviations from expected behaviors by intercepting and validating the system calls at runtime Note that this approach gives us the ability to detect problems before they cause damage, and can thus be preventive We design a high-level language called Auditing Specification Language (ASL) to specify security-related behavior This language is powerful enough to express a range of integrity constraints and behaviors over time The constraints can span multiple processes Specifications in ASL are compiled into optimized C++ programs for efficient detection of deviations from these specifications We employ runtime enforcement techniques to ensure that a process satisfies the behavior specified in ASL When deviations from specified behavior are detected, some automatic actions to isolate the damage can be initiated These corrective actions are also described within ASL 1.3 Key Contributions The key innovations of our approach include:  A high-level language that simplifies specification of normal behaviors of processes ASL is intended to simplify the specification of relationships and constraints that must hold in a correctly operation system, without being concerned about the detail as to how these conditions can be verified  Efficient techniques for runtime intrusion detection Our compiler will translate ASL specifications into an Extended Finite-State Automaton (EFSA) An EFSA is similar to a finite-state automaton with a set of state variables The EFSA can be used to detect intrusions efficiently at runtime  Atomic execution to detect race condition attacks We introduce the atomic execution in our ASL specification to deal with the race condition attacks Atomic execution provides the data integrity in a multi-processes system This feature lets a user describe the normal behavior of a program that needs atomic execution or detect unknown intrusions involving race condition or similar synchronization errors 1.4 Thesis Organization The rest of this thesis is organized as follows Chapter gives an overview of our approach and discusses its relationship to precious research Our ASL language is described in Chapter Chapter describes our approach towards atomic execution The detailed discussion of the ASL compiler is given in Chapter with some sample C++ programs generated by it Finally, concluding results appear in Chapter 57 signal - ANSI C signal handling void(*signal(int signum, void(*handler)(int)))(int); sigvec - BSD software signal facilities int sigvec(int sig, struct sigvec *vec, struct sigvec *ovec); sigaction - POSIX signal handling functions int sigaction(int signum, const struct sigaction *act, struct sigaction *oldact); sigprocmask - POSIX signal handling functions int sigprocmask(int how, const sigset_t *set, sigset_t *oldset); sigpending - POSIX signal handling functions int sigpending(sigset_t *set); sigsuspend - POSIX signal handling functions int sigsuspend(const sigset_t *mask); sigpause - atomically release blocked signals and wait for interrupt int sigpause(int sigmask); pause - wait for signal int pause(void); sigreturn - return from signal handler and cleanup stack frame int sigreturn(unsigned long unused);  Synchronization poll - wait for some event on a file descriptor int poll(struct pollfd *ufds, unsigned int nfds, int timeout); select - synchronous I/O multiplexing int select(int n, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, struct timeval *timeout); semctl - semaphore control operations int semctl(int semid, int semnun, int cmd, union semun arg ) semget - get a semaphore set identifier int semget(key_t key, int nsems, int semflg ) semop - semaphore operations int semop(int semid, struct sembuf *sops, unsigned nsops)  User/Group Id getuid - get user real ID uid_t getuid(void); getgid - returns the real group ID of the current process gid_t getgid(void); 58 getegid - returns the effective group ID of the current process gid_t getegid(void); geteuid - returns the effective user ID of the current process uid_t geteuid(void); getresuid - get real, effective and saved user ID(14) int getresuid(uid_t *ruid, uid_t *euid, uid_t *suid); getuid_2() - get real user ID = { geteuid(void), getresuid(ruid, euid, suid) | return_value = ruid } geteuid_2() - get effective user ID = { geteuid(void), getresuid(ruid, euid, suid) | return_value = euid } getgid_2() - get real group ID = { getgid(), getresgid(rgid, egid, sgid) | return_value = rgid } getegid_2() - get effective group ID = { getegid(), getresgid(rgid, egid, sgid) | return_value = egid } getresgid - get real, effective and saved group ID(15) int getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid); getsid - getsid - get session ID pid_t getsid(void); getpgid - get process group ID pid_t getpgid(pid_t pid); getpgrp -get process group ID pid_t getpgrp(void); getpgrp is equivalent to getpgid(0) getpgid_2 (pid) - get process group ID = { getpgid(pid), getpgrp(void) | pid = } getgroups - get group access list int getgroups(int size, gid_t list[]) setegid - set effective group ID int setegid(gid_t egid); seteuid - set effective user ID 59 int seteuid(uid_t euid); setfsgid - set group identity used for file system checks int setfsgid(uid_t fsgid) setfsuid - set user identity used for file system checks int setfsuid(uid_t fsuid) setgid - set group identity int setgid(gid_t gid) setregid - set real and / or effective group ID int setregid(gid_t rgid, gid_t egid); setreuid - set real and / or effective user ID int setreuid(uid_t ruid, uid_t euid); setresgid - set real, effective and saved group ID(30) int setresgid(gid_t rgid, gid_t egid, gid_t sgid); setresuid - set real, effective and saved user ID(29) int setresuid(uid_t ruid, uid_t euid, uid_t suid); setuid_2() - set real user ID ) = { seteuid(void), setresuid(ruid, euid, suid) | return_value = ruid } seteuid_2() - set effective user ID = { seteuid(void), setresuid(ruid, euid, suid) | return_value = euid } setgid_2() - set real group ID = { setgid(), setresgid(rgid, egid, sgid) | return_value = rgid } setegid_2() - set effective group ID = { setegid(), setresgid(rgid, egid, sgid) | return_value = egid } setgroups - set group access list int setgroups(size_t size, const gid_t *list); setsid - creates a session and sets the process group ID pid_t setsid(void); setuid - set user identity int setuid(uid_t uid)  Resource Control 60 getrlimit - get resource limit int getrlimit(int resource, struct rlimit *rlim) setrlimit - set resource limits int setrlimit(int resource, const struct rlimit *rlim); getrusage - get resource usage int getrusage(int who, struct rusage *usage); getpriority - get program scheduling priority int getpriority(int which, int who); nice - change process priority int nice(int inc); setpriority - set program scheduling priority int getpriority(int which, int who);  Virtual Memory brk {,sbrk} - change data segment size int brk(void *end_data_segment); void *sbrk(ptrdiff_t increment); mlock - disable paging for some parts of memory(20) int mlock(const void *addr, size_t len); mlockall - disable paging for calling process int mlockall(int flags); munlock - reenable paging for some parts of memory(21) int munlock(const void *addr, size_t len); munlockall - reenable paging for calling process int munlockall(void); mprotect - control allowable accesses to a region of memory int mprotect(const void *addr, size_t len, int prot); mremap - re-map a virtual memory address void * mremap(void * old_address, size_t old_size , size_t new_size, unsigned long flags); modify_ldt - get or set local descriptor table, a per-process memory management table used by the i386 processor int modify_ldt(int func, void *ptr, unsigned long bytecount);  Miscellaneous uselib - select shared library int uselib(const char *library); profil - execution time profile int profil(char *buf, int bufsiz, int offset, int scale); 61 ptrace - process trace int ptrace(int request, int pid, int addr, int data); System-Wide  Unprivileged Filesystem sync - commit buffer cache to disk int sync(void); ustat - get file system statistics int ustat(dev_t dev, struct ustat * ubuf); statfs, fstatfs - get file system statistics(10) int statfs(const char *path, struct statfs *buf); int fstatfs(int fd, struct statfs *buf); sysfs - get file system type information(31) int sysfs(int option, const char * fsname); int sysfs(int option, unsigned int fs_index, char * buf); int sysfs(int option);  Unprivileged Miscellaneous getpagesize - get system page size size_t getpagesize(void); sysinfo - returns information on overall system statistics int sysinfo(struct sysinfo *info); uname - get name and information about current kernel int uname(struct utsname *buf);  Privileged Filesystem setup - setup devices and file systems, mount root file system int setup(void); swapoff - stop swapping to file/device int swapoff(const char *path); swapon - start swapping to file/device int swapon(const char *path, int swapflags); nfsservctl - syscall interface to kernel nfs daemon nfsservctl(int cmd, struct nfsctl_arg *argp, union nfsctl_res *resp); mount - mount filesystem int mount(const char *specialfile, const char * dir , const char * filesystemtype, unsigned long rwflag , const void * data); umount - unmount filesystems int umount(const char *specialfile); int umount(const char *dir); 62  Process Scheduling sched_get_priority_max - get the max static priority int sched_get_priority_max(int policy); sched_get_priority_min - get the static priority int sched_get_priority_min(int policy); sched_getparam - get scheduling parameters int sched_getparam(pid_t pid, struct sched_param *p); sched_setparam - set scheduling parameters int sched_setparam(pid_t pid, const struct sched_param *p); sched_getscheduler - get scheduling algorithm/parameters int sched_getscheduler(pid_t pid); sched_setscheduler - set scheduling algorithm/parameters int sched_setscheduler(pid_t pid, int policy, const struct sched_param *p); sched_rr_get_interval - get the SCHED_RR interval for the named process int sched_rr_get_interval(pid_t pid, struct timespec *tp); sched_yield - yield the processor int sched_yield(void);  Privileged Time stime - set time int stime(time_t *t); adjtimex - tune kernel clock int adjtimex(struct timex *buf);  Loadable Modules create_module - create a loadable module entry caddr_t create_module(const char *name, size_t size); delete_module - delete a loadable module entry int delete_module(const char *name); init_module - initialize a loadable module entry int init_module(const char *name, struct module *image); query_module - query the kernel for various bits pertaining to modules int query_module(const char *name, int which, void *buf, size_t bufsize, size_t *ret); get_kernel_syms - retrieve exported kernel and module symbols int get_kernel_syms(struct kernel_sym *table);  Accounting and Quota 63 acct - switch process accounting on or off int acct(const char *filename); quotactl - manipulate disk quotas int quotactl(cmd, special, uid, addr)  Privileged Miscellaneous sysctl - read/write system parameters int _sysctl(struct sysctl_args *args); syslog - read and/or clear kernel message ring buffer int syslog(int type, char *bufp, int len); idle - make process idle void idle(void); reboot - reboot or disable Ctrl-Alt-Del int reboot(int magic, int magic_too, int flag); ioperm - set port input/output permissions int ioperm(unsigned long from, unsigned long num, int turn_on); iopl - change I/O privilege level int iopl(int level); bdflush - start, flush, or tune buffer-dirty-flush daemon(1) int bdflush(int func, long *address); int bdflush(int func, long data); cacheflush - flush contents of instruction and/or data cache int cacheflush(char *addr, int nbytes, int cache); ipc - System V IPC system calls int ipc(unsigned int call, int first, int second, int third, void *ptr, long fifth); socketcall - socket system calls int socketcall(int call, unsigned long *args); personality - set the process execution domain int personality(unsigned long persona); vhangup - virtually hangup the current tty int vhangup(void); vm86old, vm86 - enter virtual 8086 mode int vm86old(struct vm86_struct * info); int vm86(unsigned long fn, struct vm86plus_struct * v86); 64 APPENDIX B COMPILED CODE FOR ASL SPECIFICATIONOF FOR RACE VULNERABILITY This C++ code is generated from the ASL Code Example in section 3.6 class MonitorProg: { private: struct FSM { int cs_; FSM* next_; int Rule_0_ruid_; String Rule_0_rn_; int Rule_0_flags_; int Rule_1_flag_; void clone(FSM* p2) { Rule_0_ruid_=p2->Rule_0_ruid_; Rule_0_flags_=p2->Rule_0_flags_; Rule_0_rn_=p2->Rule_0_rn_; Rule_1_flag_=p2->Rule_1_flag_; }; }; FSM* stack1_; int savedEuid; int changedEuid; public: MonitorProg(){ FSM* start=new FSM; start->cs_=0; start->next_=NULL; stack1_=start; }; int access_entry (CString name, mode_t mode){ FSM* stack2_; stack2_=NULL; FSM* tmp=stack1_; while(tmp!=NULL) { tmp=tmp->next_; } while (stack1_!=NULL) { FSM* cp=stack1_; stack1_=stack1_->next_; switch (cp->cs_) { case 0:{ cp->Rule_0_ruid_=getuid(); cp->Rule_0_rn_=realpath(name); 65 FSM* np=new FSM; np->cs_=1; np->clone(cp); delete cp; np->next_=stack2_; stack2_=np; break; } default: { delete cp;break;} } } FSM* start=new FSM; start->cs_=0; start->next_=stack2_; stack2_=start; stack1_=stack2_; } int open_entry (CString name1, int flags, mode_t mode1){ FSM* stack2_; stack2_=NULL; FSM* tmp=stack1_; while(tmp!=NULL) { tmp->Rule_0_flags_=flags; tmp=tmp->next_; } while (stack1_!=NULL) { FSM* cp=stack1_; stack1_=stack1_->next_; switch (cp->cs_) { case 1:{ if ( (cp->Rule_0_rn_==realpath(name1) )) { FSM* np=new FSM; np->cs_=2; np->clone(cp); delete cp; { changedEuid = 1; savedEuid = geteuid(); setreuid((-1), np->Rule_0_ruid_); } np->next_=stack2_; stack2_=np; } break; } default: { delete cp;break;} } } FSM* start=new FSM; start->cs_=0; start->next_=stack2_; stack2_=start; stack1_=stack2_; } 66 int access_exit (CString pathname, mode_t mode){ FSM* stack2_; stack2_=NULL; FSM* tmp=stack1_; while(tmp!=NULL) { tmp=tmp->next_; } while (stack1_!=NULL) { FSM* cp=stack1_; stack1_=stack1_->next_; switch (cp->cs_) { case 1:{ FSM* np=new FSM; np->cs_=1; np->clone(cp); delete cp; np->next_=stack2_; stack2_=np; break; } default: { delete cp;break;} } } FSM* start=new FSM; start->cs_=0; start->next_=stack2_; stack2_=start; stack1_=stack2_; }; int open_exit (CString f, int flag, mode_t mode ){ FSM* stack2_; stack2_=NULL; FSM* tmp=stack1_; while(tmp!=NULL) { tmp->Rule_1_flag_=flag; tmp=tmp->next_; } while (stack1_!=NULL) { FSM* cp=stack1_; stack1_=stack1_->next_; switch (cp->cs_) { case 0:{ if ( (changedEuid==1)) { FSM* np=new FSM; np->cs_=2; np->clone(cp); delete cp; { changedEuid = 0; setreuid((-1), changedEuid); } np->next_=stack2_; stack2_=np; 67 } break; } case 1:{ FSM* np=new FSM; np->cs_=1; np->clone(cp); delete cp; np->next_=stack2_; stack2_=np; break; } default: { delete cp;break;} } } FSM* start=new FSM; start->cs_=0; start->next_=stack2_; stack2_=start; stack1_=stack2_; } } 68 BIBLIOGRAPHY [Anderson95] D Anderson, T Lunt, H Javitz, A Tamaru, and A Valdes, Next-generation Intrusion Detection Expert System (NIDES): A Summary, SRI-CSL-95-07, SRI International, 1995 [Berry86] G Berry and R Sethi, From Regular Expressions to Deterministic Automata, Theoretical Computer Science Vol 48, pp 117-126, 1986 [Bib77] K.J.Biba Integrity Constraints for Secure Computer Systems Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, Massachusetts, April 1977 [BL73] D.E.Bell and L.J.LaPadula Secure Computer System: Mathematical Foundations and Model Technical Report M74-244, The MITRE Corporation, Bedford, Massachusetts, May 1973 [Brzozowski64] J.A Brzozowski, Derivatives of Regular Expressions, Journal of ACM Vol 11, No.4, pp 481-494, 1964 [Forrest97] S Forrest, S Hofmeyr and A Somayaji, Computer Immunology, Communication of ACM Vol 40, No.10, 1997 [Fox90] K Fox, R Henning, J Reed and R Simonian, A Neural Network Approach Towards Intrusion Detection, National Computer Security Conference, 1990 69 [GS91] Simon Garfinkel and Gene Spafford Practical Unix Security O’Reilly and Associates, Sebastopol, California, 1991 [HLMM91] R Heady, G Luger, A Maccabe, and B Mukherjee A Method to Detect Intrusive Activity in a Networked Environment In Proceedings of the 14th National Computer Security Conference, pages 362-371, October 1991 [Ilgun93] K Ilgun, A real-time intrusion detection system for UNIX, IEEE Symp on Security and Privacy, 1993 [Ko96] C Ko , Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach, Ph.D Thesis, University of California at Davis, 1996 [Ko94] C Ko, G Fink and K Levitt, Automated detection of vulnerabilities in privileged programs by execution monitoring, Computer Security Application Conference, 1994 [Kosoresow97] A Kosoresow and S Hofmeyr, Intrusion detection via system call traces, IEEE Software Conference 1997 [Kumar94] S Kumar and E Spafford, A Pattern-Matching Model for Intrusion Detection, National Computer Security Conference, 1994 [Lam69] B.W Lampson Dynamic Protection Structures In Proceedings of the AFIPS Fall Joint Computer Conference, pages 27-38, 1969 [Lunt88] T Lunt and R Jagannathan, A prototype real-time intrusion detection system, IEEE Symp on Computer Security and Privacy, 1988 [Lunt92] T Lunt et al, A Real-Time Intrusion Detection Expert System (IDES) - Final Report, SRI-CSL-92-05, SRI International, 1992 70 [Porras92] P Porras and R Kemmerer, Penetration State Transition Analysis - A Rule Based Intrusion Detection Approach, Computer Security Applications Conference, 1992 [RS91] Deborah Russell and G.T Gangemi Sr Computer Security Basics O’Reilly and Associates, Sebastopol, California, December 1991 71 ACKNOWLEDGEMENTS I wish to express my sincere appreciation to Dr R C Sekar, my major professor, for his full support, valuable advice and assistance to carry out and complete this research I would like to thank Dr Johnny Wong for his help in my graduate study His encouragement and support makes my two years study at Iowa State University the most rewarding time in my life I would like to thank Dr Gary Leveans for his kind advising in my thesis work The contribution of Dr Prasant Mohapatra as committee member is greatly acknowledged Many thanks to Premchand Uppuluri, Ravi Vankamamidi, Guang Yang, Pradeep Bollineni, and Shobhit Verma for their help to my research and study Finally, thanks for the love from my parents and my wife, Di Wu Without their support, I would not have completed this research This project is supported by Defense Advanced Research Project Agency's Information Technology Office (DARPA-ITO) under the Information System Survivability program, under contract number F30602-97-C-0244 ... D(b, (ab+b)*ba)= (ab+b)*ba +a We get two new states Continue this computation: D (a, b(ab+b)*ba)=0, D(b, b(ab+b)*ba)= (ab+b)*ba, D (a, (ab+b)*ba +a) =b(ab+b)*ba+1 and D(b, (ab+b)*ba +a) = (ab+b)*ba +a We... new state b(ab+b)*ba+1 When we compute the derivative of this state: D (a, b(ab+b)*ba a b b (ab+b)*ba b(ab+b)*ba+1 b a (ab+b)*ba +a b Figure Automaton accepting (ab+b)*ba 37 b(ab+b)*ba+1) =0 and... account in the midnight might be an intrusion Anomaly detection attempts to identify typical usage patterns and flag other activities as potential intrusions Anomaly detection has the advantage