This paper describes a system allowing us to detect malevolent behavior in a computer network. This system, called DAMaR (a French acronym for Advanced Dectection of Malevolences in a Computer Network), analyzes users behavior characterized by quantitative components such as CPU time, average number of erroneous connections, average number of system and software primitives usage, etc. and qualitative components such as day and time of regular connections, workstation number, etc. Any change in the behavior may be interpreted as a malevolent intention. Whenever user profile changes in a significant manner, an enquiry is triggered. The profile is not predefined but initialized during a learning period where the system observes users. To avoid network saturation, users are assigned to risk classes. At the beginning, all the users are located in the same class. Users behavior variations induce class changes. The system has been implemented on a UNIX network on a centralized mode. It allowed us to illustrate the dynamics of the model by exhibiting user class changes.
AKOKA, J., BRIOLAT, D. and COMYN-WATTIAU, I. (1998). La sécurité des réseaux : une approche de détection de malveillances. Systèmes d'Information et Management, pp. 23-42.