Detecting and displaying novel computer attacks with Macroscope

Author

Cunningham, Robert K. ; Lippmann, Richard P. ; Webster, Seth E.

Author_Institution

Lincoln Lab., MIT, Lexington, MA, USA

Volume

31

Issue

4

fYear

2001

fDate

7/1/2001 12:00:00 AM

Firstpage

275

Lastpage

281

Abstract

Macroscope is a network-based intrusion detection system that uses bottleneck verification (BV) to detect user-to-superuser attacks. BV detects novel computer attacks by looking for users performing high privilege operations without passing through legal “bottleneck” checkpoints that grant those privileges. Macroscope´s BV implementation models many common Unix commands, and has extensions to detect intrusions that exploit trust relationships, as well as previously installed Trojan programs. BV performs at a false alarm rate more than two orders of magnitude lower than a reference signature verification system, while simultaneously increasing the detection rate from roughly 20% to 80% of user-to-superuser attacks

Keywords

Internet; security of data; Macroscope; Trojan programs; Unix commands; bottleneck verification; false alarm rate; high privilege operations; network-based intrusion detection system; novel computer attack detection; novel computer attack display; trust relationships; user-to-superuser attack detection; Computer displays; Government; Handwriting recognition; High performance computing; Intrusion detection; Law; Monitoring; Software safety; Telecommunication traffic; Workstations;

fLanguage

English

Journal_Title

Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on

Publisher

ieee

ISSN

1083-4427

Type

jour

DOI

10.1109/3468.935044

Filename

935044