14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


Intrusion Detection Applying Machine Learning to Solaris Audit Data

David Endler

An Intrusion Detection System (IDS) seeks to identify unauthorized access to computer systems' resources and data. The most common analysis tool that these modern systems apply is the operating system audit trail that provides a fingerprint of system events over time. In this research, the Basic Security Module auditing tool of Sun's Solaris operating environment was used in both an anomoly and misuse detection approach. The anomaly detector consisted of the statistical likelihood analysis of system calls, while the misuse detector was built with a neural network trained on groupings of system calls. This experiment demonstrates the potential benefits of combining both aspects of detection in future IDS's to decrease false positive and false negative errors.