Degree Name

Doctor of Philosophy


Department of Computer Science


This thesis proposes new approaches to the development of efficient and reliable intrusion detection systems and describes the development of a continuous case-based intrusion detection tool, called AutoGuard. To deal with the uncertainty in the audited data on the target systems, we use Probabilistic and Evidential Reasoning to detect abnormality in the user behavior more effectively. These two methods provide a natural representation of approximate and uncertain information. Evidential Reasoning also provides a formal basis for the key operations of fusion and translation needed to integrate multiple sources of information.

Case-based reasoning provides a useful approach for representing knowledge about past intrusions into computer systems and facilitates mechanisms for retrieving and using relevant past cases to solve and reason about new situations.

AutoGuard is an advanced case-based reasoning system that analyzes the audit trails of multi-user computer systems in search of impending security violations. AutoGuard presents intrusions as cases within its case-base and uses them to seek out those events within the target system corresponding to known intrusion scenarios. Unlike comparable analysis tools that pattern match sequences of audit records to the expected audit trails of known penetrations, AutoGuard focuses on the class of penetrations and the effects that the individual steps of a penetration have on the system. The case-base is more intuitive to read and update than current penetration rule-bases and allows the system to provide greater functionality to detect impending compromises.