Ustat -- A Real-time Intrusion Detection System for UNIX

This thesis presents the design and implementation of a real-time intrusiondetection tool, referred to as Ustat, State Transition Analysis Tool for UNIX.The original design was first developed by Phillip A. Porras and presented in[Porr91] as STAT, State Transition Analysis Tool. STAT is a new model forrepresenting computer penetrations, and applied the model to the development ofa real-time intrusion detection tool. In STAT, a penetration is identified asa sequence of state changes that lead the computer system from some initialstate to a target compromised state.The author of this document has developed the first prototype, Ustat, for UNIX,in particular for SunOS 4.1.1. Ustat makes use of the audit trails that arecollected by the C2 Basic Security Module of SunOS and it keeps track of onlythose critical actions that must occur for the successful completion of thepenetration. This approach differs from other rule-based penetrationidentification tools that pattern match sequences of audit records.