State of the Practice of Intrusion Detection Technologies

Appendix A Glossary

All of these terms are defined within the context of information assurance.  

 

adversary
From a defender's viewpoint: one who is expected to attack an asset for which you are responsible. A group or organization. In military, national security, a nation state; a terrorist group. In autonomous agents, a software agent also known as a malicious agent. From an attacker's viewpoint: one who is responsible for defending the asset you intend to attack. Therefore, attackers and defenders are mutual adversaries.
See also: attacker, intruder, victim.
 

 

analysis approach
A method used by an IDS to determine whether or not an intrusion has occurred. The two approaches defined below (attack signature detection, anomaly detection) are based on what the deployer or operator of the IDS knows prior to installing the IDS. In the following descriptions, "you" refers to the deployer/operator:

• You know what bad things (i.e., known attacks) you want to detect. Knowing this, you use attack signature detection which may identify that a bad thing has happened or may require further analysis (manual inspection) to make the determination
  

• You know what constitutes acceptable user, process, or system behavior. You want to know when behavior occurs that is outside the bounds of some acceptable threshold or measure. Such behavior constitutes an abnormal occurrence (i.e., an event of interest), not necessarily an attack.
  
  
  

 

 

attack signature detection
Identifies patterns corresponding to known attacks. This includes both passive protocol analysis (use of sniffers in promiscuous mode) as well as signature analysis (the interpretation of a certain series of packets, or a certain piece of data contained in those packets, that are determined, in advance, to represent a known pattern of attack) [B26-b].
 

 

anomaly detection
Identifies any unacceptable deviation from expected behavior. Expected behavior is defined, in advance, by a manually-developed profile or by an automatically developed profile. An automatically-developed profile is created by software that collects and processes characteristics of system behavior over time and forms a statistically valid sample of such behavior. Some of these deviations do not require further examination and some do. An anomaly might include

• users logging in at strange hours
  

• unexplained reboots or changes to system clocks
  

• unusual error messages from mailers, daemons, or other servers
  

• multiple, failed login attempts with bad passwords
  

• unauthorized use of the su command to gain UNIX root access
  

• users logging in from unfamiliar sites on the network
  

One approach to anomaly detection is statistical analysis. A subcategory of anomaly detection is integrity checking which determines whether some aspect of a file or object has been altered.

Anomaly detection assumes that intrusions are highly correlated to abnormal behavior exhibited by either a user or an application. The basic idea is to baseline normal behavior of the object being monitored and then flag behaviors that are significantly different from the baseline as abnormalities, or possible intrusions. [R61]  

 

attack (noun)
An action conducted by an adversary, the attacker, on a potential victim. A set of events which an observer believes to have information assurance consequences on some entity, the target of the attack. From the perspective of an administrator responsible for maintaining a system, an attack is a set of one or more events that has one or more security consequences. From the perspective of a neutral observer, the attack can either be successful, an intrusion, or unsuccessful, an attempted or failed intrusion. From the perspective of an intruder, an attack is a mechanism to fulfill an objective. It is unclear whether an unsuccessful attack is an intrusion. Intrusion seems to imply forced entry, while attack seems to only imply the application of force. Host xyz attacked site 123 with the blatsit attack.
See also: intrusion, adversary, intruder, target, victim.
 

 

attack (verb)
To begin to act upon destructively, to begin to destroy, expose, alter, or disable.
 

 

attacker
An adversary who conducts an attack on a victim (e.g., host). Contrast with intrude.
See also: intruder, attack.
 

 

auditing
Systematically examining system data against documented expectations of form or behavior to verify conformance with documented expectations.
 

 

availability
The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them.
 

 

confidentiality
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (i.e., to any unauthorized system entity)
 

 

consequence
The change in security caused by a particular action. In vulnerability analysis, the theoretical change in system state (i.e., the state transition itself) that would be effected on a system of a particular class assuming that the system has the vulnerability being analyzed and that the vulnerability were exploited. In artifact analysis, the theoretical change in system state (i.e., the state transition itself) that would be effected on a system of a particular class assuming that the particular artifact (i.e., attack program) being analyzed was executed successfully against the system. The consequence of an action may be quite different depending on the observer's frame of reference (e.g., attacker, victim, uninvolved). Contrast consequence with impact. For a given action, its consequence is the terminal state and its impact is the state transition from the starting system state to the terminal system state.

Consequence includes unauthorized access, unauthorized use, denial of service, reconnaissance deception, alteration of data, destruction of data.
 

 

exploit (verb)
To, in some way, take advantage of a vulnerability in a system in the pursuit or achievement of some objective. All vulnerability exploitations are attacks but not all attacks exploit vulnerabilities.
 

 

exploit (noun)
Colloquially for exploit script: a script, program, mechanism, or other technique by which a vulnerability is used in the pursuit or achievement of some information assurance objective. It is common speech in this field to use the terms exploit and exploit script to refer to any mechanism, not just scripts, that uses a vulnerability.
 

 

false negative
Occurs when the IDS fails to identify an intrusion when one has in fact occurred [B26-b].
 

 

false positive
Occurs when the IDS incorrectly identifies an intrusion when none has occurred [B26-b].
 

 

impact
The negative effect of an attack on a victim system by an attacker. In incident analysis, the negative effect on a system that results from exploiting a particular vulnerability; as in the vulnerability's impact. In vulnerability analysis, the hypothesized negative state that would be effected on a system of a particular class assuming that the system has the vulnerability in question and that the vulnerability were exploited. The use of this term occurs most frequently in incident analysis. In vulnerability analysis, its use is generally deprecated in favor of the more precise consequence.
See also: consequence, attack, vulnerability.

 

 

incident
A collection of data representing one or more related attacks. Attacks may be related by attacker, type of attack, objectives, sites, or timing.

 

 

information assurance
The subfield of information science that focuses on the conditions necessary to assure users of information systems and services that they can expect:

1. the information and services they use actually did originate with whom they claim and are exactly as the originator intended

2. the information and services they use will be available when needed

3. the information and services for which they are responsible will be made available only to those they intend and only in the manner that they intend

See also: security, survivability.
 

 

integrity
For systems, the quality that a system has when it can perform its intended function in a unimpaired manner, free from deliberate or inadvertent unauthorized manipulation.
For data, the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.
 

 

inspection
Examining a data resource or process to identify anomalous content or behavior in the data resource or process.
 

 

intruder
An adversary who is conducting or has conducted an intrusion or attack against a victim host, site, network, or organization. Since the label of intruder is assigned by the victim of the intrusion and is therefore contingent on the victim's definition of encroachment, there can be no ubiquitous categorization of actions as being intrusive or not. From the victim's viewpoint, an intruder is usually an entity (person or organization) that has successfully attacked the victim. It is unclear whether one who conducts an unsuccessful attack is an intruder. If an intrusion is required to be an intruder, then it seems that all intruders are attackers, but all attackers are not necessarily intruders.
See also: attacker, adversary, intrusion.
 

 

intrusion
Actual illegal or undesired logical entry into an information system; The act of violating the security policy or legal protections that pertain to an information system.

The concept of an unsuccessful intrusion is not common in colloquial English, but it is common in information assurance. This causes ambiguity in use in information assurance.

Some uses seem to encompass both successful and unsuccessful intrusions, while others seem to imply successful intrusions only and unsuccessful intrusions are just attacks. It is unclear whether an unsuccessful attack is an intrusion. Intrusion seems to imply forced entry, while attack seems to only imply the application of force.
See also: attack.
 

 

intrusion detection system
A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred. Some ID systems can automatically respond to an intrusion.
 

 

intrusion detection technologies
A broader term (than intrusion detection system) meaning a combination of ID systems, intrusion analysts, and other supporting tools (such as those that process raw network packets or log files). Used together, ID technologies can provide accurate indicators of whether or not an attack or intrusion has occurred.
 

 

logging
Systematically recording specified events in the order that they occur to provide a data trail for subsequent analysis.
 

 

mission
A set of very high-level (i.e., abstract) requirements or goals. Missions are not limited to military settings since any successful organization or project must have a vision of its objectives whether expressed implicitly or as a formal mission statement. Judgments as to whether or not a mission has been successfully fulfilled are typically made in the context of external conditions that may affect the achievement of that mission.
 

 

monitoring
Observing a data stream for specified events to provide data for subsequent action or analysis.

 

 

response
Actions taken to protect and restore the normal operating condition of computers and the information stored in them when an attack or intrusion occurs. Also referred to as incident response or intrusion response.
 

 

security
The subfield of information science concerned with ensuring that information systems are imbued with the condition of being secure, as well as the means of establishing, testing, auditing, and otherwise maintaining that condition.
 

 

site
A logical group of interconnected physical machines all under the control of a single administrative unit. The administrative unit itself. The DNS domain name of the administrative unit. A site almost always contains multiple systems. Any one of these systems is not necessarily wholly contained within the site. Generally, the machines that make up a site are co-located geographically, hence the name. A site is frequently equated with its DNS domain name. James attacked site blue. James attacked blue.com.
 

 

survivability
The capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Timeliness is a critical factor that is typically included in (or implied by) the very high-level requirements that define a mission. However, timeliness is such an important factor that we include it explicitly in the definition of survivability. It is important to recognize that it is the mission fulfillment that must survive, not any particular subsystem or system component. Central to the notion of survivability is the capability of a system to fulfill its mission, even if significant portions of the system are damaged or destroyed. We will sometimes use the term survivable system as a less than perfectly precise shorthand for a system with the capability to fulfill a specified mission in the face of attacks, failures, or accidents.
See also: attack, mission, system.
 

 

system
one or more interconnected physical machines (hosts) operating in cooperation with one another to meet a particular mission. Systems are generally, although not necessarily, contained within one site. Hosts may participate in multiple systems. Systems may be wholly contained within one host or distributed across multiple hosts.
See also: mission.
 

 

target (noun)
The object of an attack, especially host, computer, network, system, site, person, organization, nation, company, government, or other group.
See also: attack, victim.

 

 

target (verb)
To use something or someone as a target. To plan or schedule something or someone to attain an objective. For many computer-based attacks, target selection and attack are tightly integrated and, perhaps, indistinguishable.
See also: attack.
 

 

victim
That which is the target of an attack. An entity may be a victim of either a successful or unsuccessful attack.
See also: adversary, attack, attacker, intruder, intrusion.
 

 

vulnerability
A feature or a combination of features of a system that allows an adversary to place the system in a state that is both contrary to the desires of the people responsible for the system and increases the risk (probability or consequence) of undesirable behavior in or of the system. A feature or a combination of features of a system that prevents the successful implementation of a particular security policy for that system. A program with a buffer that can be overflowed with data supplied by the invoker will usually be considered a vulnerability. A telephone procedure that provides private information about the caller without prior authentication will usually be considered to have a vulnerability.
 

 

---

[Title Page]     [Abstract]     [Figures]     [Acknowledgments]     [Executive Summary]     [Preface]     [Section 1]     [Section 2]     [Section 3]     [Section 4]     [Section 5]     [Appendix A]     [Appendix B]     [Appendix C]     [Appendix D]     [Appendix E]     [Appendix F]     [DTIC page]     [PDF file]