![]() |
Intrusion Classification |
Before we can discuss detecting intrusions, we must define what we mean by an intrusion. All intrusions are defined relative to a security policy. Unless you know what is and is not allowed on your system, it's pointless to attempt to catch intrusions.
An intrusion can be defined as [HeadyLugerEtAl:90]:
any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.
Intrusions can be categorized into two main classes:
As misuse intrusions follow well-defined patterns they can be detected by doing pattern matching on audit-trail information. For example, an attempt to create a setuid file can be caught by examining log messages resulting from system calls. This can be done using a pattern matching approach such as in [KumarSpafford:94].
Anomalous intrusions are detected by observing significant deviations from normal behavior. The classic model for anomaly detection was proposed by Denning [Denning:87]. In Denning's approach, a model is built which contains metrics that are derived from system operation. A metric is defined as:
a random variable x representing a quantitative measure accumulated over a period.
These metrics are computed from available system parameters such as average CPU load, number of network connections per minute, number of processes per user, etc.
An anomaly may be a symptom of a possible intrusion. Given a set of metrics which can define normal system usage, we assume that [Denning:87]:
exploitation of a system's vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage.
Anomaly detection has also be performed through other mechanisms, such as neural networks [tan:neural-nets], machine learning classification techniques [lane-brodley:98, forrest-hofmeyr:97] and even mimicking of the biological immune systems [hofmeyr-phdthesis:99].
Anomalous intrusions are harder to detect. There are no fixed patterns that can be monitored for and so a more "fuzzy" approach must be taken. Ideally we would like a system that combined human-like pattern matching capabilities with the vigilance of a computer program. Thus it would always be monitoring the system for potential intrusions, but would be able to ignore spurious false intrusions if they resulted from legitimate user actions.
![]() |
![]() |
![]() |