?? 237-240.html
字號:
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=237-240//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="234-237.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="240-243.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>Statistical Measures</B></FONT></P>
<P>CMDS computes means and confidence intervals for several different usage measures. In simple terms, the system tracks what a user does in real time by counting the occurrences of different events. The <I>categories</I> that CMDS monitors include the following:</P>
<DL>
<DD><B>•</B> Failed logins
<DD><B>•</B> Failed reads
<DD><B>•</B> Execution or programs and system calls, whether interactive or batch
<DD><B>•</B> Networking audit records such as socket events
<DD><B>•</B> Browsing activities, such as reading files and changing directories
<DD><B>•</B> su attempts
<DD><B>•</B> Access to devices
</DL>
<P>Customers can define new categories by associating specific audit events with a category. When an audit record of that event type is detected, the category count is incremented. Category statistics can be tracked by user or by IP address. This differentiator is important because it enables you to know that a particular user was busy copying files or that one odd system saw a spike in the total number of file deletes.
</P>
<P><FONT SIZE="+1"><B>Reporting Anomalies</B></FONT></P>
<P>CMDS enables you to report statistics by user and node. An example report is shown in Figure 8.1.
</P>
<P><A NAME="Fig1"></A><A HREF="javascript:displayWindow('images/08-01.jpg',498,595 )"><IMG SRC="images/08-01t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/08-01.jpg',498,595)"><FONT COLOR="#000077"><B>Figure 8.1</B></FONT></A> Example report from CMDS.</P>
<P>These reports are available in addition to real-time detection and response for threshold exceptions. Notice that both upper and lower boundaries are defined for a category. If a user’s measure remains within the boundaries, all is well. Any time an activity crosses the upper limit or falls below the lower limit an anomaly is reported.
</P>
<P>A user’s statistical <I>profile</I> is composed of a collection of category measures. The profile is computed from the last 90 days of activities. In addition to computing frequency values and means, a total category count is maintained. Thus, you can know whether a user ran 90 percent of the file delete commands for the day. Reported also is the total number of records per category relative to the total number of audit records. You can know whether file deletes accounted for 50 percent of the day’s activities for the system. CMDS tracks both the AUID and the EUID for an activity to assign accountability.</P>
<P>The daily profile for a user or IP address is broken down by hour. These values are presented in the graphical reports that can be printed on-demand or on a batch schedule. In case you are wondering, the thresholds are computed by calculating the mean for a category and then computing confidence intervals that you can define. The confidence intervals define the upper and lower threshold values.</P>
<P>Alerts can be generated from a single threshold violation from a combined measure from different categories. You can configure these options in the GUI provided with CMDS. Statistical measures can be treated independently or combined. The count from one audit category can be combined with another statistic to invent a third category. The number of combined categories is practically unlimited. Monitoring of thresholds in real time can happen sequentially or in parallel. This feature enables you to prioritize what the engine monitors.</P>
<P><FONT SIZE="+1"><B>Pattern-Matching Signatures</B></FONT></P>
<P>CMDS uses the publicly available <I>Common Language Integrated Production System</I> (CLIPS) expert system developed at NASA. CLIPS is a forward-chaining, rule-based expert system. Backward chaining can be implemented in CLIPS, but CMDS uses the forward-chaining model. In forward-chaining systems, the expert systems reason from facts to goals. An oversimplification is to think of this as the process of elimination for goals known in advance. Backward-chaining systems, should you be curious, assume a goal and then try to prove or disprove it as facts arrive for processing. If you want to know more about all of the gory details of commercial expert system building tools, plenty of sources are available (Waterman, 1988; Harmon, 1990).</P>
<P>CMDS detects roughly 20 attack signatures including the following:</P>
<DL>
<DD><B>•</B> Setting the SUID bit on a file
<DD><B>•</B> Browsing attacks, such as unauthorized reads
<DD><B>•</B> Known weakness exploits, such as the Sun load module buffer overflow attack
<DD><B>•</B> Successful and unsuccessful remote break in events
<DD><B>•</B> Changes to system accounting configuration
<DD><B>•</B> Trojan Horse planting or execution
<DD><B>•</B> Password attacks
<DD><B>•</B> Masquerade attempts
<DD><B>•</B> Tagged user login
<DD><B>•</B> Tagged file lists which can be customized by the CMDS administrator
<DD><B>•</B> System events such as shutdown, halt, or reboot
</DL>
<P>To create a signature you must know how to add new rules to a CLIPS knowledge base.
</P>
<P><FONT SIZE="+1"><B>Role of Statistical Anomaly Detection</B></FONT></P>
<P>Anomaly detectors look for statistical differences in <I>behavior</I>. They assume intrusions are rare and thus will show up as exceptions to <I>normal</I> behavior. An anomaly detector will trigger when an upper or lower threshold is passed by one of the statistics being calculated.</P>
<P>Often, skilled users pose problems for statistical models because they might use a wider range of commands or occasionally rely on a rarely used command (Smaha and Winslow, 1994). Configuring the event monitor so that it does not report false alarms for skilled users can be difficult. Another way to describe this limitation is to say that statistical techniques are most effective when applied to homogeneous data, such as credit card activities, securities trading, or loan processing.</P>
<P>Not all anomalies are intrusions. If you are a programmer or researcher and decide to run a program a number of times although you do not normally do this, the event could trigger an alert if this activity is one of the statistics in your profile. A system that relies on statistical profiles only may not assign accountability correctly. For example, if one statistic is cumulative evidence of running rogue programs from an account, it is also important to know whether the login user is performing these tasks or whether someone has switched to that user ID from another. Remember that CMDS does <I>not</I> have this problem because it tracks both the AUID and the EUID to assign accountability for actions.</P>
<H3><A NAME="Heading11"></A><FONT COLOR="#000077">Other IDS Features to Consider</FONT></H3>
<P>So far you’ve seen that Stalker and CMDS are complementary system-level IDSs that catch a number of attacks which scanners and network sniffers cannot. The next few sections summarize some other important issues to consider about system intrusion detection.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="234-237.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="240-243.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -