• Observations ( x_i of x obtained from the audit records) are used together with a statistical model to determine whether a new observation is abnormal.

Obervation 과 Statistical model 두가지를 이용하여서 새로운 observation이 abnormal이지 판별한다.

• The statistical model makes no assumptions about the underlying distribution of x; all knowledge about x is obtained from observations. Before describing the structure,generation, and application of profiles,(????????)

1. Metrics

• Event Counter (발생횟수)
  
• x is the number of audit records satisfying some property occurring during a period (each audit record corresponds to an event).
• ex) number of logins during an hour, number of times some command is executed during a login session, and number of password failures during a minute.
• Interval Timer (두 이벤트 사이의 간격시간)
  
• x is the length of time between two related events
• 즉, the difference between the timestamps in the respective audit records.
• ex) length of time between successive logins into an account.
• Resource Measure (자원 소모양)
  
• x is the quantity of resources consumed by some action during a period as specified in the Resource-Usage field of the audit records.
  
• ex) the total number of pages printed by a user per day and total amount of CPU time consumed by some  program during a single execution.
• resource measure는 본 논문의 침입탐지 모델에서  event counter 나 interval timer로 구현되어 있다.
  

2. Statistical Models

2.1 Operational Model

• 가정 : Abnormality can be decided by comparing a new observation of x against fixed limits.
• Although the previous sample points for x are not used, presumably the limits are determined from prior observations of the same type of variable.
  
• The operational model is most applicable to metrics where experience has shown that certain values are frequently linked with intrusions.
• ex) An event counter for the number of password failures during a brief period, where more than 10, suggests an attempted break-in.

2.2 Mean and Standard Deviation Model

• 가정 : All we know about x₁....x_n, are mean and standard deviation(표준편차) as determined from its first two moments:

10번 시행시 평균값을 넘는 것을 탐지..이때 표준편차 적용

췌비쉐프 부등식(Chebyshev's inequality)에 따르면,? the probability of a value falling outside this interval is at most 1 /d²
ex) for d = 4, it is at most 0.0625. Note that 0 (or null) occurrences should be included so as not to bias the data.   

• This model is applicable to(유용한 분야)
  
• Event counters-timer, interval timers, and resource measures accumulated over a fixed time interval or between two related events.
• It has two advantages over an operational model.(오퍼레이션 모델 대비 2가지 장점)
  
• First, it requires no prior knowledge about normal activity in order to set limits; instead, it learns what constitutes normal activity from its observations, and the confidence intervals automatically reflect this increased knowledge.
• Second, because the confidence intervals depend on observed data, what is considered to be normal for one user can be considerably different from another.

2.3 Multivariate model(다 변량 모델)

• Similar to the mean and standard deviation model except that it is based on correlations among two or more metrics.
  
• 다음의 경우 이 모델이 유용하다.
  
• Experimental data show that better discriminating power can be obtained from combinations of related measures rather than individually-
• 즉, CPU time and I/O units used by a program, login frequency, and session elapsed time (which may be inversely related)

2.4 Markov Process Model

• This model regards each distinct type of event (audit record) as a state variable, and uses a state transition matrix to characterize the transition frequencies between states
• Applies only to event counters,
• New observation is defined to be abnormal
• if its probability as determined by the previous state & the transition matrix is too low
• This model might be useful for looking at transitions between certain commands where command sequences were important.
  

2.5 Time Series Model

• This model takes into account the order and interarrival times of the observations x₁... , x_n, as well as their values.
• Uses an interval timer together with an event counter or resource measure,
• A new observation is abnormal
• If its probability of occumng at that time is too low.
• Advantage of...
• Measuring trends of behavior over time and detecting gradual but significant shifts in behavior
• Disadvantage of being...
• More costly than mean and standard deviation

3. Profile Structure

• Identifies the statistical model and metric of a random variable
• Set of audit events measured by the variable.

<Variable-Name, Action-Pattern, Exception-Pattern, Resource-Usage-Pattern, Period, Variable-Type, Threshold, Subject-Pattern, Object-Pattern, Value>
* the first 7 are independent of the subjects and objects

• Variable-Name: Name of variable.
• Action-Pattern: Pattern that matches zero or more actions in the audit records
• ex)  "login," "read," "execute."
• Exception-Pattern: Pattern that matches on the Exception-Condition field of an audit record.
• Resource-Usage-Pattern: Pattern that matches on the Resource-Usage field of an audit record.
• Period: Time interval for measurement
• ex) Day, hour, minute (expressed in terms of clock units).
  
• This component is null if there is no fixed time interval
• ex) the period is the duration of the activity.
• Variable-Type: Name of abstract data type that defines a particular type of metric and statistical model
  
• ex) event counter with mean and standard deviation model.
• Threshold: Parameter(s) defining limit(s) used in statistical test to determine abnornality.
  
• This field and its interpretation is determined by the statistical model (Variable-Type).
• For the operational model, it is an upper (and possibly lower) bound on the value of an observation;
  
• For the mean and standard deviation model, it is the number of standard deviations from the mean.
• Subject-Pattern: Pattern that matches on the Subject field of audit records.
• Object-Pattern: Pattern that matches on the Object field of audit records.
• Value: Value of current (most recent) observation and parameters used by the statistical model to represent distribution of previous values.
• For the mean and standard deviation model, these parameters are count, sum, sum-of-squares (first two moments).
  
• The operational model requires no parameters.
  

특징

• A profile is uniquely identified by Variable-Name, Subject-Pattern, Object-Pattern
• All components of a profile are invariant except for Value.

Although the model leaves unspecified the exact format for patterns, we have identified the following SNOBO Llike constructs as being useful:

The following is a sample profile...

• For measuring the quantity of output to user Smith's terminal on a session basis.
• The variable type ResourceByActivity = a resource measure using the mean and standard deviation model.

Whenever the IDS receives an audit record that matches a variable's patterns,

• It updates the variable's distribution and checks for abnormality.
• The distribution of values for a variable is thus derived(=learned) as audit records matching the profile patterns are processed.

4. Profiles for Classes

• For individual subject-object pairs
  
• ex) Where the Subject and Object patterns match specific names,
  
• e.g., Subject "Smith" and Object "Foo"
  
• For aggregates of subjects and objects
  
• ex) Where the Subject and Object patterns match sets of names

예) File-activity profiles could be created..

• For pairs of individual users and files
• For groups of users with respect to specific files
  
• For individual users with respect to classes of files
  
• For groups of users with respect to file classes

[ 위 그림에서 각 노드에 대한 설명]

• Subject-Object : Actions performed by single subject on single object
• ex) user Smith, file Foo.

• Subject-Object Class:
  
• Actions performed by single subject aggregated over all objects in the class.
• The class of objects might be represented...
  
• As a pattern match on a subfield of the Object field that specifies the object's type(class),
• As a pattern match directly on the object's name
• (e.g., the pattern "*.EXE" for all executable files),
  
• As a pattern match that tests whether the object is in some list
• (e.g., "IN(hit-list)")

• Subject Class-Object: Actions performed on single object aggregated over all subjects in the class-
• ex) privileged users-directory file < Library >, nonprivileged users-directory file < Library > .

• Subject Class-Object Class: Actions aggregated over all subjects in the class and objects in the class-privileged users-system files, nonprivileged users-system files.

• Subject: Actions performed.by single subject aggregated over all objects
• ex) user session activity.

• Object: Actions performed on a single object aggregated over all subjects
• ex) password file activity.

• Subject Class: Actions aggregated over all subjects in the class
• ex) privileged user activity, nonprivileged user activity.

• Object Class: Actions aggregated over all objects in the class
• ex) executable file activity.

• system: Actions aggregated over all subjects and objects.
  

• Class-as-a-whole activity
• The set of all subjects or objects in the class is treated as a single entity,
  
• each observation of the random variable represents aggregate activity for the entity.
  
• ex) a profile for the class of all users representing the average number of logins into the system per day, where all users are treated as a single
  entity.
• Aggregate individual activity
• The subjects or objects in the class are treated as distinct entities,
  
• each observation of the random variable represents activity for some member of the class.
  
• ex) a profile for the class of all users characterizing the average number of logins by any one user per day. Thus, the profile represents a "typical" member of the class.

• Class-as-a-whole activity can be defined by an event counter, interval timer, or resource measure for the class
• Aggregate individual activity is defined in terms of the lower-level profiles for the individual class members.
• Aggregate individual activity requires separate metrics for each member of the class.
• 예) For example
• Average login frequency per day is defined as the average of the daily total frequencies in the individual user login profiles.
• A measure for a class-as-a-whole could also be defined in terms of lower-level profiles, but this is not necessary.

• Class-as-a-whole activity reveals whether some general pattern of behavior is normal with respect to a class.
  
• A variable that gives the frequency with which the class of executable program files are updated in the system per day, For example, might be useful for detecting the injection of a virus into the system (which causes executable files to be rewritten as the virusspreads).
• A frequency distribution of remote logins into the class of dial-up lines might be useful for detecting attempted break-ins.
• Aggregate individual activity reveals whether the behavior of a given user (or object) is consistent with that of other users (or objects).
  
• This may be useful for detecting intrusions by new users who have deviant behavior from the start.
  

5. Profile Templates

• Manual create
• The security officer explicitly creates all profiles.
• 단점 : requiring manual intervention on the part of the security officer.
  
• Automatic explicit create
• All profiles for a new useror object are generated in response to a "create" record in the audit trail.
• 장점 : "Manual create"의 단점 해결
• 단점
  
• it does not automatically deal with startup conditions, where there will be many existing subjects and objects.
• it requires a subject-object profile to be generated for any pair that is a candidate for monitoring, even if the subject never uses the particular object.
• cause many more profiles than necessary to be generated.
• ex) 1000명의 사용자가, 개인당 200개의 파일을 가지고 있다면, 총 200000파일이 존재 하며. 200,000,000의 사용자-파일 연결이 가능하다. 만약 사용자가 최대 300개의 파일만 접근 할수 있다면 오직 300,000개의 프로파일만 필요하다.
  
• First use
• A profile is automatically generated when a subject (new or old) first uses an object (new or old).
• IDEA 모델에서 책택한것
  
• 장점 : "Manual create"& "Automatic explicit create"의 단점 해결
• 해결 방법 : 템플릿을 이용하여 프로파일 생성
  

5.1 Profile Template

• Has the same structure as the profile it generates,
  
• Except the subject and object patterns define both a matching pattern & a replacement pattern
  
• matching pattern = on the audit records
• replacement pattern = to place in the generated profile
  
  

1. matches the record against both activity profiles and template profiles,
2. obtaining existing profiles
3. new profiles generated from the matching templates.
   
4. The subject and object patterns in a generated profile contain the replacement patterns defined during the match;
5. all other fields are copied exactly from the template.
6. If a new profile has the same patterns as an existing activity profile,
1. it is discarded
2. otherwise, it is added to the set of activity profiles.
   
7. The process then returns the activity profiles matching the audit record.

• The subject pattern will match any user name
  
• And generate a replacement pattern with that name.
• The object pattern will match any file in the list Special-Files
  
• And generate a replacement pattern with that name.

예) the list Special-Files contains the file names Password and Accounts.
 The following shows a sequence of audit records and the profiles that a template with these
matching and replacement patterns will generate:

6. New User and Objects

• The first is generating an excessive number of anomaly records.
• 발생 원인 : the lack of profile information about the user's behavior as well as by the user's own inexperience with the system,
• 해 결 방법 : ignoring anomalies for new users were it not for the second problem: failing to detect an intrusion by the new user. (<-문장 이상함)
  

• False alarms can be controlled...
• by an appropriate choice of statistical model for the activities causing the alarms
• by an appropriate choice of profiles.
• 예) With the mean and standard deviation model the confidence intervals are initially large so that more diversity is tolerated while data are being collected about a User's behavior;the intervals then shrink as the number of observations increases.
• This reduces false alarms caused by an individual user profile, but does not protect the system against new users (or infrequent users) whose behavior is devious, or against users who establish unusual behavior from the beginning, as a cover.
  
• To deal with this problem, current activity can be compared to that in aggregate individual profiles or with the set of profiles for all users or all users in some group.
• Although the operational model does not automatically adapt to an individual user (because it uses fixed thresholds to determine abnormality), the problem can be solved by using more lenient bounds with new users, and by adjusting the bounds as the user gains experience.

7. Possible Profiles

• login and session activity,
  
• command and program usage,
  
• file accesses.
  

7.1 Login and Session Activity

• LoginFrequency
• LocationFrequency
• LastLogin
• Interval timer measuring time since last login using the operational model.
• This type of profile could be defined for individual users but location classes,
  since the exact location seems less relevant than the lapse of time.
• It would be particularly useful for detecting a break-in on a "dead" account.
• SessionElapsedTime
• SessionOutput
• SessionCPU; SessionlO, SessionPages, etc.
• PasswordFails
• LocationFails

• Event: indicates the event giving rise to the abnormality
• either "audit," meaning the data in an audit record was found abnormal,
• or "period," meaning the data accumulated over' the current interval was found abnormal.
  
• Time-stamp:
  
• either the time-stamp in the audit record
  
• or interval stop time
• Profile: activity profile with respect to which the abnormality was detected
  
• (rather than including the complete profile, IDES might include a "key" field, which identifies the profile in the database, and the current state of the Value field).