At 4:36 AM 8/13/94 +1000, Justin Lister wrote: [deleted] >The following will be more or less general ramblings, I am interested >in hearing any further comments. > >1. Currently the direction of intrusion detection systems (both >network and computer system detectors) are involved with essentially 2 >main thrusts. > > i) Encoding supposedly "known" intrusion patterns into knowledge bases > then essentially monitoring the system audit trail for sequences that > resemble the intrusive patterns. > > ii) Developing profiles of system subjects or "entities" that describe > "normal" behavior patterns, then attempting to identify deviations > from the established patterns. > [deleted] There is a third direction in intrusion detection. This direction or technique different from the two outlined above because it doesn't try to detect patterns or behaviors. The technique might be loosely called Self-Nonself Discrimination. (This is from [Forrest et al 94]). This technique is to identify critical parts of the network/os software that should not be changed and then signal when they do change. I think your suggestions in your verification step (5) are along these lines. The TRIPWIRE software is a good example of a simple tool of this type of technique. Setting up traps, decoys, and tracers using these detection methods can add to the other two basic techniques that you mentioned. References: G.H Kim and E. H. Spafford, "The design and implementation of tripwire..." Tech Report CSD-TR-93-071, Purdue University, CS Dept., 1993. S. Forrest, L. Allen, A.S. Perelson, and Rajesh Cherukuri, "Self-Nonself Discrimination in a Computer", Proceedings of 1994 IEEE Symposium on Research in Security and Privacy (in Press) --- David Keirsey, Hughes Research Labs Keirsey@isl.hrl.hac.com