How CMDS Works
CMDS is best known for its statistical anomaly-detection approach, although CMDS also includes an expert system with pattern-matching signatures. Many early IDSs were written using rule-based expert systems, although this programming paradigm is not widely used today.
Analysis Modes
CMDS can analyze target node data in real time, batch, or on-demand modes. Each target runs a daemon that preprocesses the audit data, converts the data into a normal format, encrypts the data, and then sends the data to the CMDS Server. Optionally, the audit logs can be stored on the target and sent to the central server on a scheduled basis.
Most installations run in real time and perform on-demand analysis when an alert is generated to fine tune monitoring activities. When an alert occurs, it is indicated via one of the following responses:
- A pop-up alert screen on the server
- Pager notification
- User defined
Administrators who do not need real-time analysis can run reports in batch mode, perhaps during off hours so that the analysis will be available to the security officers in the morning.
Statistical Measures
CMDS computes means and confidence intervals for several different usage measures. In simple terms, the system tracks what a user does in real time by counting the occurrences of different events. The categories that CMDS monitors include the following:
- Failed logins
- Failed reads
- Execution or programs and system calls, whether interactive or batch
- Networking audit records such as socket events
- Browsing activities, such as reading files and changing directories
- su attempts
- Access to devices
Customers can define new categories by associating specific audit events with a category. When an audit record of that event type is detected, the category count is incremented. Category statistics can be tracked by user or by IP address. This differentiator is important because it enables you to know that a particular user was busy copying files or that one odd system saw a spike in the total number of file deletes.
Reporting Anomalies
CMDS enables you to report statistics by user and node. These reports are available in addition to real-time detection and response for threshold exceptions. Notice that both upper and lower boundaries are defined for a category. If a user’s measure remains within the boundaries, all is well. Any time an activity crosses the upper limit or falls below the lower limit an anomaly is reported.
A user’s statistical profile is composed of a collection of category measures. The profile is computed from the last 90 days of activities. In addition to computing frequency values and means, a total category count is maintained. Thus, you can know whether a user ran 90 percent of the file delete commands for the day. Reported also is the total number of records per category relative to the total number of audit records. You can know whether file deletes accounted for 50 percent of the day’s activities for the system. CMDS tracks both the AUID and the EUID for an activity to assign accountability.
The daily profile for a user or IP address is broken down by hour. These values are presented in the graphical reports that can be printed on-demand or on a batch schedule. In case you are wondering, the thresholds are computed by calculating the mean for a category and then computing confidence intervals that you can define. The confidence intervals define the upper and lower threshold values.
Alerts can be generated from a single threshold violation from a combined measure from different categories. You can configure these options in the GUI provided with CMDS. Statistical measures can be treated independently or combined. The count from one audit category can be combined with another statistic to invent a third category. The number of combined categories is practically unlimited. Monitoring of thresholds in real time can happen sequentially or in parallel. This feature enables you to prioritize what the engine monitors.
Pattern Matching Signatures
CMDS uses the publicly available Common Language Integrated Production System (CLIPS) expert system developed at NASA. CLIPS is a forward-chaining, rule-based expert system. Backward chaining can be implemented in CLIPS, but CMDS uses the forward-chaining model. In forward-chaining systems, the expert systems reason from facts to goals. An oversimplification is to think of this as the process of elimination for goals known in advance. Backward-chaining systems, should you be curious, assume a goal and then try to prove or disprove it as facts arrive for processing. If you want to know more about all of the gory details of commercial expert system building tools, plenty of sources are available (Waterman, 1988; Harmon, 1990).
CMDS detects roughly 20 attack signatures including the following:
- Setting the SUID bit on a file
- Browsing attacks, such as unauthorized reads
- Known weakness exploits, such as the Sun load module buffer overflow attack
- Successful and unsuccessful remote break in events
- Changes to system accounting configuration
- Trojan Horse planting or execution
- Password attacks
- Masquerade attempts
- Tagged user login
- Tagged file lists which can be customized by the CMDS administrator
- System events such as shutdown, halt, or reboot
To create a signature you must know how to add new rules to a CLIPS knowledge base.
Role of Statistical Anomaly Detection
Anomaly detectors look for statistical differences in behavior. They assume intrusions are rare and thus will show up as exceptions to normal behavior. An anomaly detector will trigger when an upper or lower threshold is passed by one of the statistics being calculated.
Often, skilled users pose problems for statistical models because they might use a wider range of commands or occasionally rely on a rarely used command (Smaha and Winslow, 1994). Configuring the event monitor so that it does not report false alarms for skilled users can be difficult. Another way to describe this limitation is to say that statistical techniques are most effective when applied to homogeneous data, such as credit card activities, securities trading, or loan processing.
Not all anomalies are intrusions. If you are a programmer or researcher and decide to run a program a number of times although you do not normally do this, the event could trigger an alert if this activity is one of the statistics in your profile. A system that relies on statistical profiles only may not assign accountability correctly. For example, if one statistic is cumulative evidence of running rogue programs from an account, it is also important to know whether the login user is performing these tasks or whether someone has switched to that user ID from another. Remember that CMDS does not have this problem because it tracks both the AUID and the EUID to assign accountability for actions.
Possibly related posts: (automatically generated)
How CMDS Works
- Why You're Not Finished Yet
- Some Alternative Stalker Configurations
- Two Main Reasons for Vulnerabilities
- Views Can Be Utilized as a Form of Security
- Security Facilities in Java
- How SMTP works
- Basic Network Security Measures Part 1
- Attacks Detected by Stalker
- Website Designing and Enhancements
- VBScript and JScript
- February 27th
The products are based on CA’ grade solutions and include a full range of security and utility software solutions. … Compare Antivirus Software
Spyware is software installed on your computer without your knowledge that gathers information such as surfing habits, or other interested parties. … Charter Ondemand
All requests for erectile dysfunction treatment on Online Clinic are given medical consideration by a registered UK doctor before a prescription can be issued for any patient based on an online consultation. … Free Consultation
Secure% Internet security service has been shown to improve the customers% online experience, reduce the impact of malware and strengthen customer loyalty. … Secure Client Security