USTAT A Real-time Intrusion Detection System for UNIX By: Koral Ilgun. Overview:. Introduction to USTAT -- State Transition Analysis Tool for Unix Key issues System components Implementation issues Evaluation of USTAT. Introduction to USTAT. Misuse detector
A Real-time Intrusion Detection System for UNIX
By: Koral Ilgun
User creates link
User executes file
euid(user) = root
euid(user) = not root
File ‘target’ is root’s setuid shell script that contains
the #!/bin/sh mechanism
I.e. a user (non-root) running an interactive shell
with an effective user id of root
Informs sys admin about results of the inference engine
Is compromise about to occur?
Has compromise occurred?
Play an active role in preempting the attack!
However, note that USTAT input comes from
the OS (Unix) audit log