Analytical Techniques Development for a Statistical Intrusion Detection System (sids) Based on Accounting Records. Technical Report, 3.8 Clyde Digital Systems' Audit

A prototype IDES|a real-time intrusion detection expert system. 16 Auditing can be controlled by VMS-format keyboard commands or from programs. Audit allows analysis of the audit data by random sampling or through selective analysis based on the system manager's knowledge of external events. Audit's analysis produces three reports: a security summary report, which summarizes the activity of high-risk users (as deened by a predetermined set of 14 risk factor tests and a programmable set of weighting parameters); a security event report, which summarizes the events that caused those users to be considered high-risk; and a supporting data report, which includes data from the audit log to support the conclusions of the rst two reports. The risk factors for which Audit tests include sessions outside business hours or on weekends or holidays (the deenition of normal business hours and holidays can be selected by the system manager); sessions indicating use of the AUTHORIZE or SYSGEN utilities; sessions indicating browsing; le access alarms; other alarms (alarms can be established for certain activities); repeated unsuccessful login attempts; sessions with dial-up or remote terminals; simultaneous logins for the same user; and attempts to turn oo auditing. Some of Audit's 14 tests use data contained in the audit logs, and some use information from the VMS operator log le; no test uses data from both. The operator log le is used to test for le access alarms, other alarms, login failures, and attempts to turn oo auditing. The other tests use the audit logs. Each of the 14 tests has an associated weight and three factors. One factor is for after-hour use; one factor is for activity from a dial-up terminal; and one factor is for activity from a DECnet remote terminal. Whenever an event satisses one of the tests, its weight is multiplied by its relevant factors and the result is added to the score for that user. Users with suuciently high scores are considered to be high-risk. The weights and factors can be selected by the system manager. The system manager can also add additional tests. There has been at least one published report of bypasses of certain Audit tests 21]. Allen Clyde reports that Audit has detected \numerous acts of misconduct, including criminal conduct ... on sensitive computer systems" 22]. 4 Conclusions None of the intrusion-detection approaches described is suucient alone|each addresses a diierent threat. A successful intrusion-detection system should incorporate several …