E-Book, Englisch, Band 14, 118 Seiten, eBook
Kruegel / Valeur / Vigna Intrusion Detection and Correlation
1. Auflage 2005
ISBN: 978-0-387-23399-4
Verlag: Springer US
Format: PDF
Kopierschutz: 1 - PDF Watermark
Challenges and Solutions
E-Book, Englisch, Band 14, 118 Seiten, eBook
Reihe: Advances in Information Security
ISBN: 978-0-387-23399-4
Verlag: Springer US
Format: PDF
Kopierschutz: 1 - PDF Watermark
Zielgruppe
Research
Autoren/Hrsg.
Weitere Infos & Material
Computer Security and Intrusion Detection.- Alert Correlation.- Alert Collection.- Alert Aggregation and Verification.- High-Level Alert Structures.- Large-Scale Correlation.- Evaluation.- Open Issues.- Conclusions.
Chapter 2 COMPUTER SECURITY AND INTRUSION DETECTION (p. 9-10)
The scenario in the previous section described an exemplary threat to computer system security in the form of an intruder attacking a company’s web server. This chapter attempts to give a more systematic view of system security requirements and potential means to satisfy them. We define properties of a secure computer system and provide a classification of potential threats to them. We also introduce the mechanisms to defend against attacks that attempt to violate desired properties.
Before one can evaluate attacks against a system and decide on appropriate mechanisms to fend off these threats, it is necessary to specify a security policy [Tanenbaum and van Steen, 2002]. A security policy defines the desired properties for each part of a secure computer system. It is a decision that has to take into account the value of the assets that should be protected, the expected threats and the cost of proper protection mechanisms. A security policy that is sufficient for the data of a normal home user may not be sufficient for a bank, as a bank is obviously a more likely target and has to protect more valuable resources.
1. Security Attacks and Security Properties
For the following discussion, we assume that the function of a computer system is to provide information. In general, there is a flow of data from a source (e.g., a host, a file, memory) to a destination (e.g., a remote host, another file, a user) over a communication channel (e.g., a wire, a data bus). The task of the security system is to restrict access to this information to only those parties (persons or processes) that are authorized to have access, according to the security policy in use.
The normal information flow and several categories of attacks that target it are shown in Figure 2.1 (according to [Stallings, 2000]).
1 Interruption: An asset of the system gets destroyed or becomes unavailable. This attack targets the source or the communication channel and prevents information from reaching its intended target (e.g., cutting the wire or overloading the link so that the information gets dropped because of congestion). Attacks in this category attempt to perform a kind of denial of service (DOS).
2 Interception: An unauthorized party gets access to the information by eavesdropping into the communication channel (e.g., by wiretapping).
3 Modification: The information is not only intercepted, but modified by an unauthorized party while in transit from the source to the destination. (e.g., by modifying the message content).
4 Fabrication: An attacker inserts counterfeit objects into the system without having the sender doing anything. When a previously intercepted object is inserted, this processes is called replaying. When the attacker pretends to be the legitimate source and inserts her desired information, the attack is called masquerading (e.g., replaying an authentication message or adding records to a file).
