25-08-2017, 09:32 PM
CLASSIFICATION AND DETECTION OF COMPUTER INTRUSIONS
95-08.pdf (Size: 639.54 KB / Downloads: 74)
INTRODUCTION
In this chapter we motivate the need for securing computer systems and discuss
the role of intrusion detection in their security. We give a broad overview of the
eld of intrusion detection as it is presented in the literature. In the next chapter we
survey approaches that have been taken in other systems for detecting intrusions.
Computer Security and its Role
One broad denition of a secure computer system is given by Garnkel and Spaf-
ford [GS91] as one that can be depended upon to behave as it is expected to. The
dependence on the expected behavior being the same as exhibited behavior is re-
ferred to as trust in the security of the computer system. The level of trust indicates
the condence in the expected behavior of the computer system. The expected be-
havior is formalized into the security policy of the computer system and governs the
goals that the system must meet. This policy may include functionality requirements
if they are necessary for the eective functioning of the computer system.
A narrower denition of computer security is based on the realization of con-
dentiality, integrity, and availability in a computer system [RS91]. Condentiality
requires that information be accessible only to those authorized for it, integrity re-
quires that information remain unaltered by accidents or malicious attempts, and
availability means that the computer system remains working without degradation of
access and provides resources to authorized users when they need it. By this deni-
tion, an unreliable computer system is unsecure if availability is part of its security
requirements.
A secure computer system protects its data and resources from unauthorized ac-
cess, tampering, and denial of use. Condentiality of data may be important to the
commercial success or survival of a corporation, data integrity may be important to
a hospital that maintains medical histories of patients and uses it to make life critical
decisions, and data availability may be necessary for real-time trac control.
There is a close relationship between the functional correctness of a computer sys-
tem and its security. Functional correctness implies that a computer system meets its
specications. If the functionality specication includes security policy requirements,
then functional correctness implies security of the computer system. However, the
reverse is not true, i.e., functional error may not result in violations of the security pol-
icy, especially as it relates to condentiality, integrity, and availability. For example,
an operating system service call may not process all valid arguments to it correctly,
yet it may not be possible to violate the security policy by taking advantage of this
fact. As another example, consider a visual (WYSIWYG) word processing program
that fails to highlight user selections on the display. The program is likely not func-
tionally correct, but this behavior may not cause a violation of the system security
policy.
Threats to Security
As a society we are becoming increasingly dependent on the rapid access and
processing of information. As this demand has increased, more information is being
stored on computers. The increased use of computers has made rapid tabulation of
data from dierent sources possible. Correlation of information from dierent sources
has allowed additional information to be inferred that may be dicult to obtain
directly. The proliferation of inexpensive computers and of computer networks has
exacerbated the problem of unauthorized access and tampering with data. Increased
connectivity not only provides access to larger and varied resources of data more
quickly than ever before, it also provides an access path to the data from virtually
anywhere on the network [Pow95]. In many cases, such as the Internet worm attack
of 1988 [Spa89], network intruders have easily overcome the password authentication
mechanisms designed to protect systems.