Report ID
1997-18
Report Authors
Richard A. Kemmerer
Report Date
Abstract
The Reliable Software Group at UCSB has developed a new approach torepresenting computer penetrations. This approach models penetrations as aseries of state transitions described in terms of signature actions and stateassertions. State transition representations are written to correspond to thestates of an actual computer system, and they form the basis of a rule-basedexpert system for detecting penetrations. The system is called the StateTransition Analysis Tool (STAT).On a network filesystem where the files are distributed on many hosts and whereeach host mounts directories from the others, actions on each host computerneed to be audited. A natural extension of the STAT effort is to run thesystem on audit data collected by multiple hosts. This means an auditmechanism needs to be run on each host. However, running an implementation ofSTAT on each host would result in inefficient use of computer resources. Inaddition, the possibility of having cooperative attacks on different hostswould make detection difficult. Therefore, for the distributed version ofSTAT, called NSTAT, there is a single STAT process with a single, chronologicalaudit trail. We are currently designing a client/server approach to theproblem. The client side has two threads: a producer that reads and filtersthe audit trail and a consumer that sends it to the server. The server sidemerges the filtered information from the various clients and performs theanalysis.
Document
1997-18.ps100.7 KB