system security
Three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.
Approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. a. Threshold detection: This approach involves defining thresholds, inde- pendent of user,for the frequency of occurrence of various events. b. Profile based: A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts.
2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. a. Anomaly detection: Rules are developed to detect deviation from previ- ous usage patterns. b. Penetration identification: An expert system approach that searches for suspicious behavior
Honeypots A relatively recent innovation in intrusion detection technology is the honeypot. Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.Honeypots are designed to • divert an attacker from accessing critical systems • collect information about the attacker’s activity • encourage the attacker to stay on the system long enough for administrators to respond
These systems are filled with fabricated information designed to
• Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.
Approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. a. Threshold detection: This approach involves defining thresholds, inde- pendent of user,for the frequency of occurrence of various events. b. Profile based: A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts.
2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. a. Anomaly detection: Rules are developed to detect deviation from previ- ous usage patterns. b. Penetration identification: An expert system approach that searches for suspicious behavior
Honeypots A relatively recent innovation in intrusion detection technology is the honeypot. Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.Honeypots are designed to • divert an attacker from accessing critical systems • collect information about the attacker’s activity • encourage the attacker to stay on the system long enough for administrators to respond
These systems are filled with fabricated information designed to