《An Intrusion-Detection Model》翻译

An Intrusion-Detection Model

DOROTHY E. DENNING

《一种入侵检测模型》

Abstract-A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system’s audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusiondetection expert system.

Index Terms-Abnormal behavior, auditing, intrusions, monitoring, profiles, security, statistical measures.

摘要：本文描述了一个实时入侵检测专家系统模型，该系统能够检测入侵、渗透和其他形式的计算机滥用。该模型基于这样一个假设：通过监控系统的审计记录来检测系统使用的异常模式，从而检测到安全违规行为。该模型包括表示主体行为的概要文件，对象的度量和统计模型，以及从审计记录中获取关于此行为的知识和检测异常行为的规则。该模型独立于任何特定的系统、应用环境、系统漏洞或入侵类型，因此能为通用的入侵检测专家系统提供一个框架。

索引术语：异常行为，审计，入侵，监控，配置文件，安全，统计措施。

I. INTRODUCTION

1.介绍

This paper describes a model for a real-time intrusionI detection expert system that aims to detect a widerange of security violations ranging from attempted breakins by outsiders to system penetrations and abuses by insiders. The development of a real-time intrusion-detection system is motivated by four factors:

1)most existingsystems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse;finding and fixing all these deficiencies is not feasible fortechnical and economic reasons; 2) existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons; 3) developing systems that are absolutely secure is extremely difficult, if not generally impossible; and 4) even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.

本文描述了一个实时入侵检测专家系统模型，该系统旨在检测从外部人员的尝试入侵到内部人员的系统渗透和滥用的广泛的安全违规行为。开发实时入侵检测系统有以下四个紧迫因素:

1)大多数现有系统存在安全风险，使得它们容易受到入侵、渗透和其他形式的滥用;

2)现有的已知有风险的系统不容易被更安全的系统取代——主要是因为这些系统具有更安全的系统所缺少的吸引人的特性，或者由于经济原因无法被取代;

3)开发绝对安全的系统虽然不是完全不可能的，但也是极其困难的;

4)即使是最安全的系统也容易因内部人士滥用特权而受到威胁。

The model is based on the hypothesis that exploitation of a system’s vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage. The following examples illustrate:

该模型基于通过检测系统异常使用可发现系统漏洞的假设;因此，可以从系统使用的异常模式中检测出安全违规。以下面的例子举例说明:

· Attempted break-in: Someone attempting to break into a system might generate an abnormally high rate of password failures with respect to a single account or the system as a whole.

·试图入侵:对于单个帐户或整个系统而言，试图入侵系统的人可能会产生异常高的密码失败率。

· Masquerading or successful break-in: Someone log-ging into a system through an unauthorized account and password might have a different login time, location, or connection type from that of the account’s legitimate user.In addition, the penetrator’s behavior may differ considerably from that of the legitimate user; in particular, he might spend most of his time browsing through directories and executing system status commands, whereas the legitimate user might concentrate on editing or compiling and linking programs. Many break-ins have been discovered by security officers or other users on the system who have noticed the alleged user behaving strangely.

·伪装或成功闯入:通过未经授权的帐户和密码登录系统的人可能与帐户的合法用户有不同的登录时间、位置或连接类型。此外，渗透者的行为可能与合法用户有很大不同;尤其是渗透者可能会花大部分时间浏览目录和执行系统状态命令，而合法用户可能会专注于编辑或编译和链接程序。许多入侵行为是被注意到被指控的用户行为异常的安全人员或系统上的其他用户发现的。

· Penetration by legitimate user: A user attempting to penetrate the security mechanisms in the operating system might execute different programs or trigger more protection violations from attempts to access unauthorized files or programs. If his attempt succeeds, he will have access to commands and files not normally permitted to him.

·合法用户的渗透:试图渗透操作系统中的安全机制的用户可能会执行不同的程序，或因试图访问未经授权的文件或程序而触发更多的保护违规行为。如果他的尝试成功，他将能够访问通常不允许他访问的命令和文件。

· Leakage by legitimate user: A user trying to leak sensitive documents might log into the system at unusual times or route data to remote printers not normally used.

·合法用户泄漏:试图泄漏敏感文档的用户可能会在异常时间登录系统，或将数据路由到不正常使用的远程打印机。

· Inference by legitimate user: A user attempting to obtain unauthorized data from a database through aggregation and inference might retrieve more records than usual.

·合法用户推断：试图通过聚合和推断从数据库获取未经授权数据的用户可能检索到比平时更多的记录。

·Trojan horse: The behavior of a Trojan horse planted in or substituted for a program may differ from the legitimate program in terms of its CPU time or I/O activity.

·特洛伊木马:植入或替代程序的特洛伊木马的行为可能在CPU时间或I/O活动方面与合法程序不同

·Virus: A virus planted in a system might cause an increase in the frequency of executable files rewritten, storage used by executable files, or a particular program being executed as the virus spreads.

·病毒:当病毒传播时，植入在系统中的病毒可能会导致可执行文件被重写、可执行文件使用的存储空间或特定程序被执行的频率增加。

· Denial-of-Service: An intruder able to monopolize a resource (e.g., network) might have abnormally high activity with respect to the resource, while activity for all other users is abnormally low.Of course, the above forms of aberrant usage can also be linked with actions unrelated to security. They could be a sign of a user changing work tasks, acquiring new skills, or making typing mistakes; software updates; or changing workload on the system. An important objective of our current research is to determine what activities and statistical measures provide the best discriminating power;that is, have a high rate of detection and a low rate of false alarms.

·拒绝服务:能够垄断某一资源(例如，网络)的入侵者可能对该资源具有异常高的活跃度，而其他所有用户的活跃度则异常低。当然，上述形式的异常用法也可以与与安全性无关的操作相关联。它们可能是用户改变工作任务、获得新技能或打字错误的标志;软件更新;或者改变系统上的工作负载。我们当前研究的一个重要目标是确定哪些活动和统计措施提供了最佳的鉴别能力，即具有较高的检出率和较低的误报率。

II. OVERVIEW OF MODEL

2.模型概述

The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-pur-pose intrusion-detection expert system, which we have called IDES. A more detailed description of the design and application of IDES is given in our final report [1].

该模型独立于任何特定的系统、应用环境、系统漏洞或入侵类型，因此提供了一个通用的入侵检测专家系统的框架，我们称之为IDES。在我们的最终报告[1]中对ide的设计和应用进行了更详细的描述。

The model has six main components:

* 该模型有六个主要组成部分:

* Subjects: Initiators of activity on a target systemnornally users.

* 主体:在目标系统用户上活动的发起者。

* Objects: Resources managed by’ the system-files,commands, devices, etc.

* 对象:由系统文件、命令、设备等管理的资源。

* Audit records: Generated by the target system in response to actions performed or attempted by subjects on objects-user login, command execution, file access, etc.

* 审计记录:目标系统对主体对对象执行或尝试的操作(用户登录、命令执行、文件访问等)所产生的响应。

* Profiles: Structures that characterize the behavior or subjects with respect to objecfs in terms of statistical metrics and models of observed activity. Profiles are automatically generated and initialized from templates.

* 概要文件:根据观察到的活动的统计指标和模型，描述行为或主体与目标的关系的结构。配置文件从模板自动生成并初始化。

* Anomaly records: Generated when abnormal behavior is detected.

* 异常记录:检测到异常行为时产生。

* Activity rules: Actions taken when some condition is satisfied, which update profiles, detect abnormal behavior, relate anomalies to suspected intrusions, and produce reports.

* 活动规则:在满足某些条件时采取的动作，这些动作更新配置文件，检测异常行为，将异常与可疑入侵联系起来，并生成报告。

The model can be regarded as a rule-based pattern matching system. When an audit record is generated, it is matched against the profiles. Type information in the matching profiles then determines what rules to apply to update the profiles, check for abnormal behavior, and report anomalies detected. The security officer assists in establishing profile templates for the activities to monitor,but the rules and profile structures are largely system-independent.

该模型可以看作是一个基于规则的模式匹配系统。当审计记录生成