[ISN] Audit data needed

From: mea culpa (jerichot_private)
Date: Mon Oct 26 1998 - 01:16:42 PST

  • Next message: mea culpa: "[ISN] Microsoft shuts site down -- ID's exposed"

    From: coastwatch-requestt_private
    Greetings, all.
    Several of our PhD students are researching advanced intrusion and anomaly 
    detection methods.  None of these methods rely on looking at standard audit 
    trails or network traces.  Instead, we're trying to do localized data 
    reduction and directed observation.
    The good part of such research is that it will likely result in better 
    methods of intrusion detection.  The downside is that we are having 
    difficulty getting "real" data of the kinds necessary to refine our results!
    Enclosed is a request put together by one of the students working on one of 
    the projects.  If any of you have data of the kind being sought and would be 
    willing to contribute it to our research, we would really appreciate it!
    Please respond directly to Terran (email address below) if you can assist.
    If your data can be shared with others, please let Terran know that too -- I 
    am certain he would be happy to share what he finds with others seeking the 
    same kinds of data.
    --gene spafford
    ------- Forwarded Message
    From:    Terran Lane <terrant_private>
    			Call for Data
    Purdue's MILLENNIUM Machine Learning Lab is currently engaged in
    cooperative research with the Purdue CERIAS to develop machine
    learning techniques for the anomaly detection problem [1,2].  To date,
    we have developed a number of promising techniques for this domain,
    and have demonstrated the effectiveness of our methods in
    distinguishing different valid system users under normal working
    conditions [3-8].  To truly evaluate the utility of our techniques,
    however, it is critical to examine their performance with respect to
    instances of real attacks, misuses, and abuses.  Unfortunately, we do
    not currently have access to such data.  We are, therefore, requesting
    the donation of audit data recording known hostile actions for the
    purposes of profiling research codes and methods.  Although it would
    be valuable to make such data available to the research community at
    large, we are aware of the private and sensitive nature of such data
    and are willing to accept non-disclosure terms and/or sanitized data.
    While we are interested in all facets of this problem and all audit
    data recording genuine incidents is valuable, the most useful examples
    will meet the following criteria:
    - The data originates from a source close to the user interface level.
      Desired data sources, in order of utility to our current research
      directions, are:
      * Command line interface traces
      * Audit trails of command invocations (preferably with flags,
        environment, etc.)
      * GUI event traces
      * Network packet logs
      * System call traces
    - Labels, tags, descriptions, or other methods will be available to
      clearly distinguish data generated during the anomalous event from
      normal system usage.
    In addition, a quantity of known non-hostile data drawn from the same
    system or systems near the time of the security incidents will be
    necessary to calibrate detection systems under normal operating
    conditions and to demonstrate differentiation ability.
    [1] Anderson, J. P., Computer security threat monitoring and
    	surveillance.  Technical Report, James P. Anderson Co.,
    	Washington PA, 1980.
    [2] Denning, D. E., An intrusion-detection model. IEEE Transactions on
    	Software Engineering, 13(2), pp 222-232, 1987.
    [3] Lane, T. and Brodley, C. E., Detecting the abnormal: Machine learning
    	in computer security.  Technical Report TR-ECE 97-1, Purdue
    	University School of Electrical and Computer Engineering, West
    	Lafayette IN, 1997.
    [4] Lane, T. and Brodley, C. E., An application of machine learning to
    	anomaly detection. In National Information Systems Security
    	Conference, Baltimore MD, 1997.
    [5] Lane, T. and Brodley, C. E., Sequence matching and learning in
    	anomaly detection for computer security.  In Proceedings of
    	AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk
    	Management, 1997.
    [6] Lane, T. and Brodley, C. E., Approaches to Online Learning and
    	Concept Drift for User Identification in Computer Security.
    	In Proceedings of the Fourth International Conference on
    	Knowledge Discovery and Data Mining, 1998.
    [7] Lane, T., Filtering Techniques for Rapid User Classification.
    	In Proceedings of the AAAI-98/ICML-98 Joint Workshop on AI
    	Approaches to Time-series Analysis, 1998.
    [8] Lane, T. and Brodley, C. E., Temporal Sequence Learning and Data
    	Reduction for Anomaly Detection.  In Proceedings of the Fifth
    	ACM Conference on Computer and Communications Security, 1998
    	(to appear).
    Terran Lane   email=terrant_private
                  PGP key=http://mow.ecn.purdue.edu/~terran/facts/pgp_key.html
      "But I don't want to go among mad people," Alice remarked.
      "Oh, you can't help that," said the Cat: "we're all mad here. I'm mad.
          You're mad."
      "How do you know I'm mad?" said Alice.
      "You must be," said the Cat, "or you wouldn't have come here."
    ------- End of Forwarded Message
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:47 PDT