Referenced Items are not available for this document.
This paper describes a new technique for detecting security breaches in a computer system. For each Unix process, the user credentials, which are user identifiers, determine the process privilege, including whether a process has gained a high privilege, such as that of the superuser. The state transition technique is applied to a suitably defined process state, identified by certain classes of user credential values. A transition takes place when these values change from one class to another. These states are clearly defined, and prohibited state transitions as well as some supporting rules are identified. When many break-ins succeed, either the rules are violated or these prohibited transitions occur, and this implies a violation of system security policy. A specially modified system call, ktrace0, is used by the superuser to monitor the process-state and state transition analysis is applied to the traced information, by the Intrusion Detection System. Tests show that most known security violations belonging to the targeted classes (such as buffer overflow exploits) can be detected (and possibly pre-empted) while the constituent activities are still being processed in the kernel
Published in:
Computer Security Applications Conference, 1999. (ACSAC '99) Proceedings. 15th Annual
Date of Conference: 1999
- Page(s):
- 378 - 387
- Meeting Date :
- 06 Dec 1999-10 Dec 1999
- ISSN :
- 1063-9527
- Print ISBN:
- 0-7695-0346-2
- INSPEC Accession Number:
- 6461276
- Conference Location :
- Phoenix, AZ
- Digital Object Identifier :
- 10.1109/CSAC.1999.816050
- Product Type:
- Conference Publications
About IEEE Xplore | Contact | Help | Terms of Use | Nondiscrimination Policy | Site Map | Privacy & Opting Out of Cookies
A not-for-profit organization, IEEE is the world's largest professional association for the advancement of technology.
© Copyright 2013 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.
