)
Figure 8.1 Example report from CMDS.
| Previous | Table of Contents | Next |
Statistical Measures
CMDS computes means and confidence intervals for several different usage measures. In simple terms, the system tracks what a user does in real time by counting the occurrences of different events. The categories that CMDS monitors include the following:
Customers can define new categories by associating specific audit events with a category. When an audit record of that event type is detected, the category count is incremented. Category statistics can be tracked by user or by IP address. This differentiator is important because it enables you to know that a particular user was busy copying files or that one odd system saw a spike in the total number of file deletes.
Reporting Anomalies
CMDS enables you to report statistics by user and node. An example report is shown in Figure 8.1.
Figure 8.1 Example report from CMDS.
These reports are available in addition to real-time detection and response for threshold exceptions. Notice that both upper and lower boundaries are defined for a category. If a user’s measure remains within the boundaries, all is well. Any time an activity crosses the upper limit or falls below the lower limit an anomaly is reported.
A user’s statistical profile is composed of a collection of category measures. The profile is computed from the last 90 days of activities. In addition to computing frequency values and means, a total category count is maintained. Thus, you can know whether a user ran 90 percent of the file delete commands for the day. Reported also is the total number of records per category relative to the total number of audit records. You can know whether file deletes accounted for 50 percent of the day’s activities for the system. CMDS tracks both the AUID and the EUID for an activity to assign accountability.
The daily profile for a user or IP address is broken down by hour. These values are presented in the graphical reports that can be printed on-demand or on a batch schedule. In case you are wondering, the thresholds are computed by calculating the mean for a category and then computing confidence intervals that you can define. The confidence intervals define the upper and lower threshold values.
Alerts can be generated from a single threshold violation from a combined measure from different categories. You can configure these options in the GUI provided with CMDS. Statistical measures can be treated independently or combined. The count from one audit category can be combined with another statistic to invent a third category. The number of combined categories is practically unlimited. Monitoring of thresholds in real time can happen sequentially or in parallel. This feature enables you to prioritize what the engine monitors.
Pattern-Matching Signatures
CMDS uses the publicly available Common Language Integrated Production System (CLIPS) expert system developed at NASA. CLIPS is a forward-chaining, rule-based expert system. Backward chaining can be implemented in CLIPS, but CMDS uses the forward-chaining model. In forward-chaining systems, the expert systems reason from facts to goals. An oversimplification is to think of this as the process of elimination for goals known in advance. Backward-chaining systems, should you be curious, assume a goal and then try to prove or disprove it as facts arrive for processing. If you want to know more about all of the gory details of commercial expert system building tools, plenty of sources are available (Waterman, 1988; Harmon, 1990).
CMDS detects roughly 20 attack signatures including the following:
To create a signature you must know how to add new rules to a CLIPS knowledge base.
Role of Statistical Anomaly Detection
Anomaly detectors look for statistical differences in behavior. They assume intrusions are rare and thus will show up as exceptions to normal behavior. An anomaly detector will trigger when an upper or lower threshold is passed by one of the statistics being calculated.
Often, skilled users pose problems for statistical models because they might use a wider range of commands or occasionally rely on a rarely used command (Smaha and Winslow, 1994). Configuring the event monitor so that it does not report false alarms for skilled users can be difficult. Another way to describe this limitation is to say that statistical techniques are most effective when applied to homogeneous data, such as credit card activities, securities trading, or loan processing.
Not all anomalies are intrusions. If you are a programmer or researcher and decide to run a program a number of times although you do not normally do this, the event could trigger an alert if this activity is one of the statistics in your profile. A system that relies on statistical profiles only may not assign accountability correctly. For example, if one statistic is cumulative evidence of running rogue programs from an account, it is also important to know whether the login user is performing these tasks or whether someone has switched to that user ID from another. Remember that CMDS does not have this problem because it tracks both the AUID and the EUID to assign accountability for actions.
So far you’ve seen that Stalker and CMDS are complementary system-level IDSs that catch a number of attacks which scanners and network sniffers cannot. The next few sections summarize some other important issues to consider about system intrusion detection.
| Previous | Table of Contents | Next |
){kind=link}