USTAT: a real-time intrusion detection system for UNIX

The author presents the design and implementation of a real-time intrusion detection tool, called USTAT, a state transition analysis tool for UNIX. This is a UNIX-specific implementation of a generic design developed by A. Porras and R.A. Kemmerer (1992) as STAT, a state transition analysis tool. State transition analysis is a new approach to representing computer penetrations. In STAT, a penetration is identified as a sequence of state changes that take the computer system from some initial state to a target compromised state. The development of the first USTAT prototype, which is for SunOS 4.1.1, is discussed. USTAT makes use of the audit trails that are collected by the C2 basic security module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records.>