Publication Abstract

Cunningham, R.K., Lippmann, R.P., Kassay, D.A., Webster, S.E., Zissman, M.A., Host-Based Bottleneck Verification Efficiently Detects Novel Computer Attacks, MILCOM 1999, October 1999.

Abstract

Bottleneck verification detects novel computer attacks by looking for users performing operations at a high privilege level without passing through legal "bottleneck" programs that grant those privileges. This approach has been used with network sniffing data to analyze telnet and rlogin network sessions to UNIX hosts and with Solaris Basic Security Module (BSM) host-based audit data. An off-line version of Bottleneck Verification performs at a false alarm rate more than two orders of magnitude lower than a reference key-string system, while simultaneously increasing the detection rate from roughly 20% to 80% for user-to-super- user attacks. Recent development of a real-time host-based version demonstrates that Bottleneck Verification can rapidly and accurately detect attacks, while adding very little load to the protected system. Furthermore, a simple extension allows a system to detect the use of backdoors installed prior to system installation.