Intrusion Classification

Before we can discuss detecting intrusions, we must define what we mean by an intrusion. All intrusions are defined relative to a security policy. Unless you know what is and is not allowed on your system, it's pointless to attempt to catch intrusions.

An intrusion can be defined as [HeadyLugerEtAl:90]:

any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.

Intrusions can be categorized into two main classes:

  1. Misuse intrusions are well defined attacks on known weak points of a system. They can be detected by watching for certain actions being performed on certain objects.
  2. Anomaly intrusions are based on observations of deviations from normal system usage patterns. They are detected by building up a profile of the system being monitored, and detecting significant deviations from this profile.

As misuse intrusions follow well-defined patterns they can be detected by doing pattern matching on audit-trail information. For example, an attempt to create a setuid file can be caught by examining log messages resulting from system calls. This can be done using a pattern matching approach such as in [KumarSpafford:94].

Anomalous intrusions are detected by observing significant deviations from normal behavior. The classic model for anomaly detection was proposed by Denning [Denning:87]. In Denning's approach, a model is built which contains metrics that are derived from system operation. A metric is defined as:

a random variable x representing a quantitative measure accumulated over a period.

These metrics are computed from available system parameters such as average CPU load, number of network connections per minute, number of processes per user, etc.

An anomaly may be a symptom of a possible intrusion. Given a set of metrics which can define normal system usage, we assume that [Denning:87]:

exploitation of a system's vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage.

Anomaly detection has also be performed through other mechanisms, such as neural networks [tan:neural-nets], machine learning classification techniques [lane-brodley:98, forrest-hofmeyr:97] and even mimicking of the biological immune systems [hofmeyr-phdthesis:99].

Anomalous intrusions are harder to detect. There are no fixed patterns that can be monitored for and so a more "fuzzy" approach must be taken. Ideally we would like a system that combined human-like pattern matching capabilities with the vigilance of a computer program. Thus it would always be monitoring the system for potential intrusions, but would be able to ignore spurious false intrusions if they resulted from legitimate user actions.

Security Policy Start Intrusion Detection
Diego Zamboni
Last modified: Mon Sep 20 13:13:12 EST 1999