STAT -- A State Transition Analysis Tool For Intrusion Detection

This thesis proposes a new approach to representing computer penetrations andapplies the approach to the development of a real-time intrusion detectiontool. The approach, referred to as penetration state transition analysis,views a penetration as a sequence of state changes that lead a computer systemfrom an initial prerequisite state to a target compromised state. Statetransitions are defined in terms of critical actions and assertions thatdescribe the pre- and post-action states of the system. A state transitiondiagram, which is the graphical representation of state transition analysis,identifies precisely the requirements and compromise of a penetration and listsonly those critical events that must occur for the successful completion of thepenetration.The State Transition Analysis Tool (STAT) is an advanced rule-based expertsystem that analyzes the audit trails of multi-user computer systems in searchof impending security violations. STAT represents state transition diagramswithin its rule-base and uses them to seek out those state transitions withinthe target system that correspond to known penetration scenarios. Unlikecomparable analysis tools that pattern match sequences of audit records to theexpected audit trails of known penetrations, STAT rules focus on the effectsthat the individual steps of a penetration have on the state of the computersystem. The resulting rule-base is not only more intuitive to read and updatethan current penetration rule-bases, but also provides greater functionality todetect impending compromises.