14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


NetSTAT: A Network-based Intrusion Detection Approach

Giovanni Vigna and Richard A. Kemmerer
Reliable Software Group
Department of Computer Science
University of California Santa Barbara

Network-based attacks have become common and sophisticated. For this reason, intrusion detection systems are now shifting their focus from the hosts and their operating systems to the network itself. Network-based intrusion detection is challenging because network auditing produces large amounts of data, and different events related to a single intrusion may be visible in different places on the network. This paper presents NetSTAT, a new approach to network intrusion detection. By using a formal model of both the network and the attacks, NetSTAT is able to determine which network events have to be monitored and where they can be monitored.