jaydeltathree

Bace: Ch 3--Information Sources

Bace is taking it one chunk at a time, which is good for somebody like me. Intrusion detection systems determine whether an intrusion has been made based on information. This chapter discusses where the information on which the decision is made comes from. She also talks about the different levels of abstraction of information, and how they can affect the intrusion determination.

She talks about operating system audit trails and system logs. The audit trails are lower level and more secure. She gave real world examples, with Solaris Basic Security Module and Windows NT event logger. Now the thing is, I guess I thought of BSM as being an audit trail and event logger as system logs. Actually, I'd never heard of BSM before, and I'm wondering if anything similar is present in Linux. Maybe that's what the commercial versions provide.

The need for audit reduction is described. The gears shift from host-based information sources to application based. On page 60, she says the intrusion detection community thinks that all the important ID information will be at the application level. I wasn't understanding why until I read her examples about database systems. Some computer systems exist only to run extremely large scale applications like databases or web servers, so yeah, that's where all the information would be. Network based sources were discussed, but most of it was either stuff I knew or had at least heard of.

And she said that there are other sources--including human sources. Of course we set configurations and such, but we can also feed the machine outside information that it doesn't have access to but is relevant. She also pointed out that data within the sphere of computer security but outside of intrusion detection can be useful. Her example was physical security logs to corroborate whether a masquerader is at large.