Classification and detection of computer intrusions

Some computer security breaches cannot be prevented using access and information flow control techniques. These breaches may be a consequence of system software bugs, hardware or software failures, incorrect system administration procedures, or failure of the system authentication module. Intrusion detection techniques can have a significant role in the detection of computer abuse in such cases. This dissertation describes a pattern matching approach to representing and detecting intrusions, a hitherto untried approach in this field. We have classified intrusions on the basis of structural interrelationships among observable system events. The classification formalizes detection of specific exploitations by examining their manifestations in the system event trace. Thus, we can talk about intrusion signatures belonging to particular categories in the classification, instead of vulnerabilities that result in intrusions. The classification developed in this dissertation can also be used for developing computational models to detect intrusions in each category by exploiting the common structural interrelationships of events comprising the signatures in that category. We can then look at signatures of interest that can be matched efficiently, instead of attempting to devise a comprehensive set of techniques to detect any violation of the security policy. We define and justify a computational model in which intrusions from our classification can be represented and matched. We also present experimental results based on an implementation of the model tested against real-world intrusions