Computer security has not kept pace with the rapid growth of networked systems. Through its connection to the Internet, the Department of Defense is vulnerable to computer-based attacks. Current intrusion detection systems are still unproven, too complicated, or too costly for most system security officers to implement. The attack methods used by system intruders are known and can be represented as groups of commands called attack signatures. This thesis investigates methods for detecting intruders by monitoring command usage. Testing was conducted in both controlled and uncontrolled circumstances. With controlled testing, it was shown that 7 of the 11 signatures could be detected through command monitoring. Command recording deficiencies prevented all 11 signatures from being detected. With uncontrolled testing, users were monitored without their knowledge for one month. No actual attacks were observed, but there were 18 instances of false positives out of 145,066 monitored commands. The implemented system was successful at detecting most attacks, with only a small percentage of false positives. This thesis is an intermediate step in exploring methods to better protect Air Force systems from attack. Future work should aim to detect attacks before they are fully completed by monitoring networks at the packet level
