17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris

Ulf Lindqvist, Phillip Porras
SRI International

eXpert-BSM is a real time forward-reasoning expert system that analyzes Sun Solaris audit trails. Based on many years of intrusion detection research, eXpert-BSM's knowledge base detects a wide range of specific and general forms of misuse, provides detailed reports and recommendations to the system operator, and has a low false-alarm rate. Host-based intrusion detection offers the ability to detect misuse and subversion through the direct monitoring of processes inside the host, providing an important complement to network-based surveillance. Suites of eXpert-BSMs may be deployed throughout a network, and their alarms managed, correlated, and acted on by remote or local subscribing security services, thus helping to address issues of decentralized management. Inside the host, eXpert-BSM is intended to operate as a true security daemon for host systems, consuming few CPU cycles and very little memory and secondary storage. eXpert-BSM has been available for download on the Internet since April 2000, and has been successfully deployed in several production environments.

Keywords: Security, Intrusion detection, Host-based, Audit, Unix, Solaris

Read Paper Read Paper (in PDF)