Explaining and Recovering from Computer Break-Ins

Principal Investigator:  Mabry Tyson Mailing address: AI Center SRI International 333 Ravenswood Avenue Menlo Park, CA 94025-3493 AIC Program:  Natural Language Project home page at http://www.ai.sri.com/~derbi/

DERBI is a different kind of intrusion detection system. Rather than instrumenting a computer system to detect intrusions in real time, DERBI is designed to analyze a computer’s file systems after-the-fact to see if there is evidence of an intrusion. Obviously, DERBI is not intended to supplant a real-time IDS, as it is better to stop an intrusion before it happens. However, in a well-protected site, DERBI could be used in conjunction with a traditional IDS. If an attack somehow avoids or neutralizes the IDS, DERBI may be able to detect information useful in determining whether there was an attack and what happened.

• Tyson, M. DERBI: Diagnosis, Explanation and Recovery from Computer Break-Ins, Technical Note . AI Center, SRI International, 333 Ravenswood Ave, Menlo Park, CA 94025, Dec 2000.  [PDF, Details]