Experiences with Specification Based Intrusion Detection

Intrusion Detection Approaches

Open Issues of
Specification-Based Approach

Talk Outline

Approach Overview

Approach Overview (contd…)

Pattern Language:
Regular Expression over Events (REE)

Example BMSL rules

Specification Development
Methodology

System call classification

Generic Specification

Specifications customized for
program groups

Application Specific Specifications

FTPD specifications

Tailoring Specifications
for an OS/Site

Effectiveness

Offline Evaluation: Effectiveness with
Normal Behavior Specifications

Addition of misuse specifications

1999 Lincoln Labs offline evaluation

Online Evaluation Results

Development effort

Conclusions

End