Title :
Detecting and displaying novel computer attacks with Macroscope
Author :
Cunningham, Robert K. ; Lippmann, Richard P. ; Webster, Seth E.
Author_Institution :
Lincoln Lab., MIT, Lexington, MA, USA
fDate :
7/1/2001 12:00:00 AM
Abstract :
Macroscope is a network-based intrusion detection system that uses bottleneck verification (BV) to detect user-to-superuser attacks. BV detects novel computer attacks by looking for users performing high privilege operations without passing through legal “bottleneck” checkpoints that grant those privileges. Macroscope´s BV implementation models many common Unix commands, and has extensions to detect intrusions that exploit trust relationships, as well as previously installed Trojan programs. BV performs at a false alarm rate more than two orders of magnitude lower than a reference signature verification system, while simultaneously increasing the detection rate from roughly 20% to 80% of user-to-superuser attacks
Keywords :
Internet; security of data; Macroscope; Trojan programs; Unix commands; bottleneck verification; false alarm rate; high privilege operations; network-based intrusion detection system; novel computer attack detection; novel computer attack display; trust relationships; user-to-superuser attack detection; Computer displays; Government; Handwriting recognition; High performance computing; Intrusion detection; Law; Monitoring; Software safety; Telecommunication traffic; Workstations;
Journal_Title :
Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on
DOI :
10.1109/3468.935044
