This paper addresses the problem of generating reference audit information used in the intrusion detection technique proposed by S. Forrest et al. [1]. This technique uses a model of normal behavior of the information system being monitored to detect attacks against it. We present a novel approach to collect the reference behavior information used by the intrusion detection system to solve the problem identified in [1]. The model of normal behavior is extracted from this reference information. This model is then tested against real user activity and attacks. [1] S. Forrest, S.A. Hofmeyr, and A. Somayaji, ``Computer immunology,'' Commun. ACM, vol. 40, no.10, October 1997.
By: H. Debar, M. Dacier, A. Wespi
Published in: Global IT Security, ed. by G. Papp and R. Posch. , Vienna, OCG, p.405-17 in 1998
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .