Intrusion Detection: Network Security Beyond the Firewall:UNIX System-Level IDSs









































function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);









        






























 



Keyword
Title
Author
ISBN
Publisher
Imprint


Brief
Full

 Advanced      Search
 Search Tips














Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security

UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive


























To access the contents, click the chapter and section titles.


Intrusion Detection: Network Security beyond the Firewall


(Publisher: John Wiley & Sons, Inc.)

Author(s): Terry Escamilla

ISBN: 0471290009

Publication Date: 11/01/98



function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();

}












Search this book:
 





















Previous
Table of Contents
Next




Statistical Measures
CMDS computes means and confidence intervals for several different usage measures. In simple terms, the system tracks what a user does in real time by counting the occurrences of different events. The categories that CMDS monitors include the following:

•  Failed logins
•  Failed reads
•  Execution or programs and system calls, whether interactive or batch
•  Networking audit records such as socket events
•  Browsing activities, such as reading files and changing directories
•  su attempts
•  Access to devices

Customers can define new categories by associating specific audit events with a category. When an audit record of that event type is detected, the category count is incremented. Category statistics can be tracked by user or by IP address. This differentiator is important because it enables you to know that a particular user was busy copying files or that one odd system saw a spike in the total number of file deletes.

Reporting Anomalies
CMDS enables you to report statistics by user and node. An example report is shown in Figure 8.1.


Figure 8.1  Example report from CMDS.
These reports are available in addition to real-time detection and response for threshold exceptions. Notice that both upper and lower boundaries are defined for a category. If a user’s measure remains within the boundaries, all is well. Any time an activity crosses the upper limit or falls below the lower limit an anomaly is reported.

A user’s statistical profile is composed of a collection of category measures. The profile is computed from the last 90 days of activities. In addition to computing frequency values and means, a total category count is maintained. Thus, you can know whether a user ran 90 percent of the file delete commands for the day. Reported also is the total number of records per category relative to the total number of audit records. You can know whether file deletes accounted for 50 percent of the day’s activities for the system. CMDS tracks both the AUID and the EUID for an activity to assign accountability.
The daily profile for a user or IP address is broken down by hour. These values are presented in the graphical reports that can be printed on-demand or on a batch schedule. In case you are wondering, the thresholds are computed by calculating the mean for a category and then computing confidence intervals that you can define. The confidence intervals define the upper and lower threshold values.
Alerts can be generated from a single threshold violation from a combined measure from different categories. You can configure these options in the GUI provided with CMDS. Statistical measures can be treated independently or combined. The count from one audit category can be combined with another statistic to invent a third category. The number of combined categories is practically unlimited. Monitoring of thresholds in real time can happen sequentially or in parallel. This feature enables you to prioritize what the engine monitors.
Pattern-Matching Signatures
CMDS uses the publicly available Common Language Integrated Production System (CLIPS) expert system developed at NASA. CLIPS is a forward-chaining, rule-based expert system. Backward chaining can be implemented in CLIPS, but CMDS uses the forward-chaining model. In forward-chaining systems, the expert systems reason from facts to goals. An oversimplification is to think of this as the process of elimination for goals known in advance. Backward-chaining systems, should you be curious, assume a goal and then try to prove or disprove it as facts arrive for processing. If you want to know more about all of the gory details of commercial expert system building tools, plenty of sources are available (Waterman, 1988; Harmon, 1990).
CMDS detects roughly 20 attack signatures including the following:

•  Setting the SUID bit on a file
•  Browsing attacks, such as unauthorized reads
•  Known weakness exploits, such as the Sun load module buffer overflow attack
•  Successful and unsuccessful remote break in events
•  Changes to system accounting configuration
•  Trojan Horse planting or execution
•  Password attacks
•  Masquerade attempts
•  Tagged user login
•  Tagged file lists which can be customized by the CMDS administrator
•  System events such as shutdown, halt, or reboot

To create a signature you must know how to add new rules to a CLIPS knowledge base.

Role of Statistical Anomaly Detection
Anomaly detectors look for statistical differences in behavior. They assume intrusions are rare and thus will show up as exceptions to normal behavior. An anomaly detector will trigger when an upper or lower threshold is passed by one of the statistics being calculated.
Often, skilled users pose problems for statistical models because they might use a wider range of commands or occasionally rely on a rarely used command (Smaha and Winslow, 1994). Configuring the event monitor so that it does not report false alarms for skilled users can be difficult. Another way to describe this limitation is to say that statistical techniques are most effective when applied to homogeneous data, such as credit card activities, securities trading, or loan processing.
Not all anomalies are intrusions. If you are a programmer or researcher and decide to run a program a number of times although you do not normally do this, the event could trigger an alert if this activity is one of the statistics in your profile. A system that relies on statistical profiles only may not assign accountability correctly. For example, if one statistic is cumulative evidence of running rogue programs from an account, it is also important to know whether the login user is performing these tasks or whether someone has switched to that user ID from another. Remember that CMDS does not have this problem because it tracks both the AUID and the EUID to assign accountability for actions.
Other IDS Features to Consider
So far you’ve seen that Stalker and CMDS are complementary system-level IDSs that catch a number of attacks which scanners and network sniffers cannot. The next few sections summarize some other important issues to consider about system intrusion detection.




Previous
Table of Contents
Next






























Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home


Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.