Detecting computer and network misuse through the production-based expert system toolset (P-BEST)

摘要

This paper describes an expert system development toolset called the Production-Based Expert System Toolset (P-BEST) and how it is employed in the development of a modern generic signature-analysis engine for computer and network misuse detection. For more than a decade, earlier versions of P-BEST have been used in intrusion detection research and in the development of some of the most well-known intrusion detection systems, but this is the first time the principles and language of P-BEST aredescribed to a wide audience. We present rule sets for detecting subversion methods against which there are few defenses-specifically, SYN flooding and buffer overruns-and provide performance measurements. Together; these examples and performancemeasurements indicate that P-BEST-based expert systems are well suited for real-time misuse detection in contemporary computing environments. In addition, the simplicity of the P-BEST language and its close integration with the C programming languagemakes it easy to use while still being very powerful and flexible.