A Pattern Matching Approach to Audit Data Reduction and Anomaly and Misuse Detection

Principal Investigators: Mikhail Atallah, Eugene Spafford

Research Assistants: J. Balasubramani, A. Bilger, H. Chang, D. Cole, M. Crosbie, B. Dole, W. Du, T. Ellis, L. Feinstein, C. Flack, C, Gray, S. Kazi, E. Kidder, B. Kopetsky, G. Krishnan, I. Krsul, M. Kuhn, T. Lane, S. W. Lodin, R. Marynowkski, T. Mastin, M. Miller, K. Nataraj, L. Nelson, L. Praza, K. Price, C. Schuba, S. Shah, K. F. Stein, A. Sundaram, T. Tuglular, A. Voss, D. Wang, K. Watson, K. Zamboni

Sponsors: DARPA, NSA

The goal of the proposed research is to develop pattern matching techniques and software for audit data reduction, and for anomaly and misuse detection in computer systems.

There are three broad subgoals:

Characterizing patterns of intrusion,
Characterizing patterns of misuse and how they differ from intrusion patterns,
Detecting the occurrence of these patterns of intrusion and misuse, and storing audit data that minimally (that is, without waste) enables the speedy detection of these misuse patterns.

There are many interplays and tradeoffs among the above three items.

The audit storage research deals with how such audit data may be stored such that it has minimal impact on local storage, but can be easily provided as input to an intrusion detection system or monitor. The compression of audit trail data should be tamper-resistant: That storage may be "signed" or monitored so that tampering will be evident (including the "signing" of distributed audit data collected centrally).

Pattern matching techniques for the detection of intrusion and misuse have new problematics, not previously considered in the traditional pattern matching settings.