Systèmes d'Information et Management


This paper describes a system allowing us to detect malevolences in a computer network. This system, called DAMaR (a French acronym for Advanced Detection of Malevolences in a Computer Network), analyzes users behavior characterized by quantitative components such as CPU time, average number of erroneous connections, average number of system and software primitives usage, etc. and qualitative components such as day and time of regular connections, workstation number, etc. Any change in the behavior may be interpreted as a malevolent intention. Whenever user profile changes in a significant manner, an enquiry is triggered. The profile is not predefined but initialized during a learning period where the system observes users. To avoid network saturation, users are assigned to risk classes. At the beginning, all the users are located in the same class. Users behavior variations induce class changes. The system has been implemented on a UNIX network on a centralized mode. It allowed us to illustrate the dynamics of the model by exhibiting user class changes.