General Navigation Buttons - Home | Search | Contact Us | Site Map | Whats New
products graphic
white space
products
Software Technology Roadmap
What's New
Background & Overview
Technology Descriptions
Defining Software Technology
Technology Categories
Template for Technology Descriptions
Taxonomies
Glossary & Indexes
Feedback & Participation
Software Engineering Information Repository (SEIR)
white space
About SEI|Mgt|Eng|Acq|Collaboration|Prod.& Services|Pubs
pixel
Rollover Popup Hints for Topic Navigation Buttons above
pixel
Rule-Based Intrusion Detection


Status

Advanced

Note

We recommend Intrusion Detection as prerequisite reading for this technology description.

Purpose and Origin

Due to the voluminous, detailed nature of system audit data - some of which may have little if any meaning to a human reviewer - and the difficulty of discriminating between normal and intrusive behavior, one approach taken by developers of intrusion detection systems is to use expert systems technology to analyze automatically audit trail data for intrusion attempts [Lunt 93]. These security systems, known as rule-based intrusion detection (RBID) systems, can be used to analyze system audit trails for pending or completed computer security violations. This emerging technology seeks to increase the availability of computer systems by automating the detection and elimination of intrusions.

Technical Detail

Rule-based intrusion detection (RBID) is predicated on the assumption that intrusion attempts can be characterized by sequences of user activities that lead to compromised system states. RBID systems are characterized by their expert system properties that fire rules1 when audit records or system status information begin to indicate illegal activity [Ilgun 93]. These predefined rules typically look for high-level state change patterns observed in the audit data compared to predefined penetration state change scenarios. If an RBID expert system infers that a penetration is in process or has occurred, it will alert the computer system security officers and provide them with both a justification for the alert and the user identification of the suspected intruder.

There are two major approaches to rule-based intrusion detection:

  1. State-based. In this approach, the rule base is codified using the terminology found in the audit trails. Intrusion attempts are defined as sequences of system state- as defined by audit trail information- leading from an initial, limited access state to a final compromised state [Ilgun 93].
  2. Model-based. In this approach, known intrusion attempts are modeled as sequences of user behavior; these behaviors may then be modeled, for example, as events in an audit trail. Note, however, that the intrusion detection system itself is responsible for determining how an identified user behavior may manifest itself in an audit trail. This approach has many benefits, including the following:
    • More data can be processed, because the technology allows you to narrow the focus of the data selectively.
    • More intuitive explanations of intrusion attempts are possible.
    • The system can predict the intruder's next action.

Usage Considerations

RBID rule bases are affected by system hardware or software changes and require updates by system experts as the system is enhanced or maintained. The protection afforded by RBID systems would be most useful in an environment where physical protection of the computer system is not always possible (e.g., a battlefield situation), yet the data is of high value and requires stringent protection.

Maturity

Although RBID systems are in the research and early prototype stage, articles describing RBID systems date to at least the 1986 description of the Discovery system [Tener 86]. In 1987, Denning described an early, abstract model of a rule-based intrusion detection system (IDS) [Denning 87]; in 1989, Vaccarro and Liepins described the Wisdom and Sense system [Vaccarro 89]. More recent systems include USTAT [Ilgun 93] and the Intrusion Detection Expert System (IDES) [Lunt 93]; IDES combines statistical-based (see Statistical-Based Intrusion Detection) and model-based intrusion detection approaches to achieve a level of intrusion detection not feasible with either approach alone. Mukherjee describes several other recent RBID systems [Mukherjee 94]. Feasibility for an operational system has not yet been demonstrated.

Costs and Limitations

The use of RBID systems requires the following:

  • personnel knowledgeable in rule-based systems, especially with respect to rule representation
  • personnel who know how various activities may be represented in audit trails
  • personnel experienced in intrusion detection and who have in-depth knowledge of the audit collection mechanism [Ilgun 93]
In addition to the costs associated with maintaining intrusion detection knowledge bases, there are several risks and limitations associated with this technology:

  • Only known vulnerabilities and attacks are codified in the knowledge base. The knowledge base of rules is thus always playing "catch-up" with the intruders [Lunt 93].
  • The representation of intrusion scenarios- especially with respect to state-based approaches- is not intuitive.
For these reasons, RBIDs cannot detect all intrusion attempts.

Like all intrusion detection systems, RBIDs will negatively affect system performance due to their collecting and processing of audit trail information. For example, early prototyping of a real-time RBID system on a UNIX workstation showed the algorithm was using up to 50% of the available processor throughput to process and analyze the audit trail [Ilgun 93].

Dependencies

Expert systems are an enabler for this technology.

Alternatives

Other automated approaches to intrusion detection include statistical-based approaches (see Statistical-Based Intrusion Detection) and approaches based on genetic algorithms. Manual examination of recorded audit data and online monitoring of access activity by knowledgeable system security personnel are the only other known alternatives.

Complementary Technologies

RBID systems can be used in conjunction with Statistical-Based Intrusion Detection systems to catch a wider variety of intrusion attempts, and authentication systems can be used to verify user identity.

Index Categories

This technology is classified under the following categories. Select a category for a list of related topics.

Name of technology

 Rule-Based Intrusion Detection

Application category

 System Security (AP.2.4.3)

Quality measures category

 Security (QM.2.1.5)

Computing reviews category

 Operating Systems Security and Protection (D.4.6)
Computer-Communication Networks Security and Protection (C.2.0)
Security and Protection (K.6.5)

References and Information Sources

[Bell 76] Bell, D. E. & LaPadula, L. J. Secure Computer System: Unified Exposition and Multics Interpretation Rev. 1 (MTR-2997). Bedford, MA: MITRE Corporation, 1976.
[Denning 87] Denning, Dorothy E., et al. "Views for Multilevel Database Security." IEEE Transactions on Software Engineering SE-13, 2 (February 1987): 129-140.
[CSC 83] Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria. Fort George G. Meade, MD: DoD Computer Security Center, 1983.
[Ilgun 93] Ilgun, Koral. "USTAT: A Real-time Intrusion Detection System for UNIX," 16-28. Proceedings of the 1993 Computer Society Symposium on Research in Security and Privacy. Oakland, California, May 24-26, 1993. Los Alamitos, CA: IEEE Computer Society Press, 1993.
[Kemmerer 94] Kemmerer, Richard A. "Computer Security," 1153-1164. Encyclopedia of Software Engineering. New York, NY: John Wiley and Sons, 1994.
[Lunt 93] Lunt, Teresa F. "A Survey of Intrusion Detection Techniques." Computers and Security 12, 4 (June 1993): 405-418.
[Mukherjee 94] Mukherjee, Biswanath, L.; Heberlein, Todd; & Levitt, Karl N. "Network Intrusion Detection." IEEE Network 8, 3 (May/June 1994): 26-41.
[Sundaram 96] Sundaram, Aurobindo. An Introduction to Intrusion Detection [online]. Available WWW
<URL: http://www.acm.org/crossroads/xrds2-4/xrds2-4.html> (1996).
[Tener 86] Tener, W. T. "Discovery: An Expert System in the Commercial Data Security Environment." Computer Security Journal 6, 1 (Summer 1990): 45.
[Vaccarro 89] Vaccarro, H. S. & Liepins, G. E. "Detection of Anomalous Computer Session Activity," 208-209. Proceedings of the IEEE Symposium on Research in Security and Privacy. Oakland, California, May 1-3, 1989. Washington, DC: IEEE Computer Society Press, 1989.
[Ware 79] Ware, W. H. Security Controls for Computer Systems: Report of Defense Science Board, Task Force on Computer Security. Santa Monica, CA: The Rand Corporation, 1979.

Current Author/Maintainer

Mark Gerken, Air Force Rome Laboratory

Modifications

10 Jan 97 (original)

Footnotes

1 In an expert system, knowledge about a problem domain is represented by a set of rules. These rules consist of two parts:

  1. The antecedent, which defines when the rule should be applied. An expert system will use pattern matching techniques to determine when the observed data matches or satisfies the antecedent of a rule.
  2. The consequent, which defines the action(s) that should be taken if its antecedent is satisfied.
A rule is said to be "fired" when the action(s) defined in its consequent are executed. For RBID systems, rule antecedents will typically be defined in terms of audit trail data, while rule consequents may be used to increase or decrease the level of monitoring of various entities, or they may be used to notify system administration personnel about significant changes in system state.


The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.

Copyright 2007 by Carnegie Mellon University
Terms of Use
URL: http://www.sei.cmu.edu/str/descriptions/rbid_body.html
Last Modified: 11 January 2007