Re: RFC- Enforcing Computer Policy
keirsey@aic.hrl.hac.com
Fri, 12 Aug 1994 17:21:31 -0800
At 4:36 AM 8/13/94 +1000, Justin Lister wrote:
[deleted]
>The following will be more or less general ramblings, I am interested
>in hearing any further comments.
>
>1. Currently the direction of intrusion detection systems (both
>network and computer system detectors) are involved with essentially 2
>main thrusts.
>
> i) Encoding supposedly "known" intrusion patterns into knowledge bases
> then essentially monitoring the system audit trail for sequences that
> resemble the intrusive patterns.
>
> ii) Developing profiles of system subjects or "entities" that describe
> "normal" behavior patterns, then attempting to identify deviations
> from the established patterns.
>
[deleted]
There is a third direction in intrusion detection. This direction or
technique different from the two outlined above because it doesn't try to
detect patterns or behaviors. The technique might be loosely called
Self-Nonself Discrimination. (This is from [Forrest et al 94]). This
technique is to identify critical parts of the network/os software that
should not be changed and then signal when they do change. I think your
suggestions in your verification step (5) are along these lines. The
TRIPWIRE software is a good example of a simple tool of this type of
technique.
Setting up traps, decoys, and tracers using these detection methods can add
to the other two basic techniques that you mentioned.
References:
G.H Kim and E. H. Spafford, "The design and implementation of tripwire..."
Tech Report CSD-TR-93-071, Purdue University, CS Dept., 1993.
S. Forrest, L. Allen, A.S. Perelson, and Rajesh Cherukuri, "Self-Nonself
Discrimination in a Computer", Proceedings of 1994 IEEE Symposium on
Research in Security and Privacy (in Press)
---
David Keirsey, Hughes Research Labs
Keirsey@isl.hrl.hac.com