|
|
Intrusions and Intrusion Classification
Definition:
An intrusion can be defined as any set of actions that attempt
to compromise the integrity, confidentiality or availability of
a resource. All intrusions are defined relative to a security policy.
Intrusions can be categorized into two main classes:
- Misuse intrusions are well defined attacks on known weak points
of a system. They can be detected by watching for certain actions
being performed on certain objects.
- Anomaly intrusions are based on observations of deviations from
normal system usage patterns. They are detected by building up
a profile of the system being monitored, and detecting significant
deviations from this profile.
As misuse intrusions follow well-defined patterns they can be
detected by doing pattern matching on audit-trail information.
For example, an attempt to create a setuid file can be caught
by examining log messages resulting from system calls. This can
be done using a pattern matching approach.
Anomalous intrusions are detected by observing significant deviations
from normal behavior. The classic model for anomaly detection
contains metrics that are derived from system operation. An anomaly
may be a symptom of a possible intrusion. Given a set of metrics
which can define normal system usage, we assume that exploitation
of a system's vulnerabilities involves abnormal use of the system;
therefore, security violations could be detected from abnormal
patterns of system usage.
Anomaly detection has also been performed through other mechanisms,
such as neural networks, machine learning classification techniques
and even mimicking of the biological immune systems.
|
 |
 |
