eXpert-BSM: a host-based intrusion detection solution for Sun Solaris

Abstract

EXpert-BSM is a real time forward-reasoning expert systemthat analyzes Sun Solaris audit trails. Based on manyyears of intrusion detection research, eXpert-BSM's knowledgebase detects a wide range of specific and general formsof misuse, provides detailed reports and recommendationsto the system operator, and has a low false-alarm rate.Host-based intrusion detection offers the ability to detectmisuse and subversion through the direct monitoring of processesinside the host, providing an important complementto network-based surveillance. Suites of eXpert-BSMs maybe deployed throughout a network, and their alarms managed,correlated, and acted on by remote or local subscribingsecurity services, thus helping to address issues of decentralizedmanagement. Inside the host, eXpert-BSM isintended to operate as a true security daemon for host systems,consuming few CPU cycles and very little memoryand secondary storage. eXpert-BSM has been availablefor download on the Internet since April 2000, and has beensuccessfully deployed in several production environments.