10.3 Intrusion Patterns

Software systems known as IDSs have been constructed to attempt to automatically detect these break-ins. They are based on the analysis of certain behavior patterns. These intrusions come down to two main types of patterns of detection: misuse and anomaly.

Misuse intrusions are well-defined attacks on known weak points of a system and involve some of the hacking techniques described in the preceding section. They can be detected by data mining audit-trail information. For example, an attempt to create a setuid or tcpdump call file can be caught by examining log messages resulting from these types of system calls; this can be done using a pattern-matching approach.

Anomaly intrusions are based on observations of deviations from normal system usage patterns. They are detected by building up a profile of the system being monitored and detecting significant deviations from normal behavior. These metrics are computed from available system parameters, such as average CPU load, number of network connections per minute, number of processes per user, type of application accessed, etc. An anomaly, or deviation from a system profile, may be an indication of a possible intrusion.

A hybrid system that combines the pattern-matching profiles of an anomaly system with the vigilance of a misuse detection computer program may be the best solution. Such a hybrid program would always be monitoring the system for potential intrusions, but would be able to ignore spurious false alarms if they resulted from legitimate user actions.