A Process State-Transition Analysis and its Application to Intrusion Detection

Phoenix, Arizona December 06-December 10

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/CSAC.1999.816050

15th Annual Computer Security Applica ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Nittida Nuansri Articles by Samar Singh Articles by Tharam S. Dillon

	ASCII Text	x
	Nittida Nuansri, Samar Singh, Tharam S. Dillon, "A Process State-Transition Analysis and its Application to Intrusion Detection," Computer Security Applications Conference, Annual, pp. 378, 15th Annual Computer Security Applications Conference (ACSAC '99), 1999.

	BibTex	x
	@article{ 10.1109/CSAC.1999.816050, author = {Nittida Nuansri and Samar Singh and Tharam S. Dillon}, title = {A Process State-Transition Analysis and its Application to Intrusion Detection}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {1999}, issn = {1063-9527}, pages = {378}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.1999.816050}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - A Process State-Transition Analysis and its Application to Intrusion Detection SN - 1063-9527 SP EP A1 - Nittida Nuansri, A1 - Samar Singh, A1 - Tharam S. Dillon, PY - 1999 VL - 0 JA - Computer Security Applications Conference, Annual ER -

Nittida Nuansri, Prince of Songkla University

Samar Singh, La Trobe University

Tharam S. Dillon, La Trobe University

This paper describes a new technique for detecting security breaches in a computer system. For each Unix process, the user credentials, which are user identifiers, determine the process privilege, including whether a process has gained a high privilege, such as that of the superuser. The state transition technique is applied to a suitably defined process state, identified by certain classes of user credential values. A transition takes place when these values change from one class to another. These states are clearly defined, and prohibited state transitions as well as some supporting rules are identified. When many break-ins succeed, either the rules are violated or these prohibited transitions occur, and this implies a violation of system security policy. A specially modified system call, ktrace(), is used by the superuser to monitor the process-state and state transition analysis is applied to the traced information, by the Intrusion Detection System. Tests show that most known security violations belonging to the targeted classes (such as buffer overflow exploits) can be detected (and possibly pre-empted) while the constituent activities are still being processed in the kernel.

Citation:

Nittida Nuansri, Samar Singh, Tharam S. Dillon, "A Process State-Transition Analysis and its Application to Intrusion Detection," acsac, pp.378, 15th Annual Computer Security Applications Conference (ACSAC '99), 1999

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.