|
Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST)
by Dr. Ulf Lindqvist & Phillip Porras.
From Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, California, Oakland, California. May, 1999. Pages 146161.
Abstract
This paper describes an expert system development tool-set called the Production-Based Expert System Toolset (P-BEST) and how it is employed in the development of a modern generic signature-analysis engine for computer and network misuse detection. For more than a decade, earlier versions of P-BEST have been used in intrusion detection research and in the development of some of the most well-known intrusion detection systems, but this is the first time the principles and language of P-BEST are described to a wide audience. We present rule sets for detecting subversion methods against which there are few defenses—specifically, SYN flooding and buffer overruns—and provide performance measurements. Together, these examples and performance measurements indicate that P-BEST-based expert systems are well suited for real-time misuse detection in contemporary computing environments. In addition, the simplicity of the P-BEST language and its close integration with the C programming language makes it easy to use while still being very powerful and flexible.
BibTEX Entry
@InProceedings{Lindqvist:1999:SP99PBEST,
AUTHOR = {Ulf Lindqvist and Phillip {A} Porras},
TITLE = {Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST)},
YEAR = {1999},
PAGES = {146--161},
MONTH = {may},
ADDRESS = {Oakland, California},
URL = {http://www.csl.sri.com/papers/pbest-sp99-cr/},
BOOKTITLE = {Proceedings of the 1999 {IEEE} Symposium on Security and Privacy},
PUBLISHER = {{IEEE} Computer Society Press, Los Alamitos, California}
}
Files
|
|