Rule-Based Penetration Identification

• Based on expert system technology

• Uses rules for identifying known penetrations or ones that exploit known weaknesses – suspicion rating

• Rules generated by experts and system specific

• Strength is a function of the skills of the rule makers – hire a hacker

• Early systems: NIDX, IDES, Haystack – late 80’s

• Best approach is a high level model that is independent of specific audit records

• USTAT, a state transition model, deals with general actions and reduces the number of rules