NIDX-an expert system for real-time network intrusion detection

Abstract

A knowledge-based prototype network intrusion detection expert system (NIDX) for the Unix System V environment is described. NIDX combines knowledge describing the target system, history profiles of users' past activities, and intrusion detection heuristics from a knowledge-based system capable of detecting specific violations that occur on the target system. Intrusions are detected by classifying user activity from a real-time audit trail of Unix system calls and then, using system-specific knowledge and heuristics about typical intrusions and attack techniques, determining whether or not the activity is an intrusion. The authors describe the NIDX knowledge base, and Unix system audit trail mechanism and history profiles , and demonstrate the knowledge-based intrusion detection process.<>