Software Decoys: Intrusion Detection and Countermeasures

Abstract

We introduce the notion of an intelligent software decoy, and provide both an architecture and event-based language for automatic implementation of them. Our decoys detect and respond to patterns of suspicious behavior, and maintain a repository of rules for behavior patterns and decoying actions. As an example, we construct a model of system behavior from an initial list of event types and their attributes in the interaction between computer worms an operating system. The model represents patterns of suspicious or malicious events that the software decoy should detect, and specific actions to be taken in response. Our approach explicitly treats both standard and nonstandard invocations of components, with the latter representing an attempt to circumvent the public interface of the component.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2002
Accession Number
ADA487425

Entities

People

  • James Bret Michael
  • Mikhail I. Auguston
  • Neil C. Rowe
  • Richard D. Riehle

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • C Programming Language
  • Computer Languages
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computer Worms
  • Computers
  • Countermeasures
  • Cybersecurity
  • Debugging
  • Detection
  • Intrusion Detection
  • Language
  • Military Research
  • Object Code
  • Operating Systems
  • United States Military Academy

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Database Systems and Applications
  • Sensor Fusion and Tracking Systems.