《An Intrusion-Detection Model》翻译

An Intrusion-Detection Model

DOROTHY E. DENNING

《一种入侵检测模型》

Abstract-A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system’s audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusiondetection expert system.

Index Terms-Abnormal behavior, auditing, intrusions, monitoring, profiles, security, statistical measures.

摘要：本文描述了一个实时入侵检测专家系统模型，该系统能够检测入侵、渗透和其他形式的计算机滥用。该模型基于这样一个假设：通过监控系统的审计记录来检测系统使用的异常模式，从而检测到安全违规行为。该模型包括表示主体行为的概要文件，对象的度量和统计模型，以及从审计记录中获取关于此行为的知识和检测异常行为的规则。该模型独立于任何特定的系统、应用环境、系统漏洞或入侵类型，因此能为通用的入侵检测专家系统提供一个框架。

索引术语：异常行为，审计，入侵，监控，配置文件，安全，统计措施。

I. INTRODUCTION

1.介绍

This paper describes a model for a real-time intrusionI detection expert system that aims to detect a widerange of security violations ranging from attempted breakins by outsiders to system penetrations and abuses by insiders. The development of a real-time intrusion-detection system is motivated by four factors:

1)most existingsystems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse;finding and fixing all these deficiencies is not feasible fortechnical and economic reasons; 2) existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons; 3) developing systems that are absolutely secure is extremely difficult, if not generally impossible; and 4) even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.

本文描述了一个实时入侵检测专家系统模型，该系统旨在检测从外部人员的尝试入侵到内部人员的系统渗透和滥用的广泛的安全违规行为。开发实时入侵检测系统有以下四个紧迫因素:

1)大多数现有系统存在安全风险，使得它们容易受到入侵、渗透和其他形式的滥用;

2)现有的已知有风险的系统不容易被更安全的系统取代——主要是因为这些系统具有更安全的系统所缺少的吸引人的特性，或者由于经济原因无法被取代;

3)开发绝对安全的系统虽然不是完全不可能的，但也是极其困难的;

4)即使是最安全的系统也容易因内部人士滥用特权而受到威胁。

The model is based on the hypothesis that exploitation of a system’s vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage. The following examples illustrate:

该模型基于通过检测系统异常使用可发现系统漏洞的假设;因此，可以从系统使用的异常模式中检测出安全违规。以下面的例子举例说明:

· Attempted break-in: Someone attempting to break into a system might generate an abnormally high rate of password failures with respect to a single account or the system as a whole.

·试图入侵:对于单个帐户或整个系统而言，试图入侵系统的人可能会产生异常高的密码失败率。

· Masquerading or successful break-in: Someone log-ging into a system through an unauthorized account and password might have a different login time, location, or connection type from that of the account’s legitimate user.In addition, the penetrator’s behavior may differ considerably from that of the legitimate user; in particular, he might spend most of his time browsing through directories and executing system status commands, whereas the legitimate user might concentrate on editing or compiling and linking programs. Many break-ins have been discovered by security officers or other users on the system who have noticed the alleged user behaving strangely.

·伪装或成功闯入:通过未经授权的帐户和密码登录系统的人可能与帐户的合法用户有不同的登录时间、位置或连接类型。此外，渗透者的行为可能与合法用户有很大不同;尤其是渗透者可能会花大部分时间浏览目录和执行系统状态命令，而合法用户可能会专注于编辑或编译和链接程序。许多入侵行为是被注意到被指控的用户行为异常的安全人员或系统上的其他用户发现的。

· Penetration by legitimate user: A user attempting to penetrate the security mechanisms in the operating system might execute different programs or trigger more protection violations from attempts to access unauthorized files or programs. If his attempt succeeds, he will have access to commands and files not normally permitted to him.

·合法用户的渗透:试图渗透操作系统中的安全机制的用户可能会执行不同的程序，或因试图访问未经授权的文件或程序而触发更多的保护违规行为。如果他的尝试成功，他将能够访问通常不允许他访问的命令和文件。

· Leakage by legitimate user: A user trying to leak sensitive documents might log into the system at unusual times or route data to remote printers not normally used.

·合法用户泄漏:试图泄漏敏感文档的用户可能会在异常时间登录系统，或将数据路由到不正常使用的远程打印机。

· Inference by legitimate user: A user attempting to obtain unauthorized data from a database through aggregation and inference might retrieve more records than usual.

·合法用户推断：试图通过聚合和推断从数据库获取未经授权数据的用户可能检索到比平时更多的记录。

·Trojan horse: The behavior of a Trojan horse planted in or substituted for a program may differ from the legitimate program in terms of its CPU time or I/O activity.

·特洛伊木马:植入或替代程序的特洛伊木马的行为可能在CPU时间或I/O活动方面与合法程序不同

·Virus: A virus planted in a system might cause an increase in the frequency of executable files rewritten, storage used by executable files, or a particular program being executed as the virus spreads.

·病毒:当病毒传播时，植入在系统中的病毒可能会导致可执行文件被重写、可执行文件使用的存储空间或特定程序被执行的频率增加。

· Denial-of-Service: An intruder able to monopolize a resource (e.g., network) might have abnormally high activity with respect to the resource, while activity for all other users is abnormally low.Of course, the above forms of aberrant usage can also be linked with actions unrelated to security. They could be a sign of a user changing work tasks, acquiring new skills, or making typing mistakes; software updates; or changing workload on the system. An important objective of our current research is to determine what activities and statistical measures provide the best discriminating power;that is, have a high rate of detection and a low rate of false alarms.

·拒绝服务:能够垄断某一资源(例如，网络)的入侵者可能对该资源具有异常高的活跃度，而其他所有用户的活跃度则异常低。当然，上述形式的异常用法也可以与与安全性无关的操作相关联。它们可能是用户改变工作任务、获得新技能或打字错误的标志;软件更新;或者改变系统上的工作负载。我们当前研究的一个重要目标是确定哪些活动和统计措施提供了最佳的鉴别能力，即具有较高的检出率和较低的误报率。

II. OVERVIEW OF MODEL

2.模型概述

The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-pur-pose intrusion-detection expert system, which we have called IDES. A more detailed description of the design and application of IDES is given in our final report [1].

该模型独立于任何特定的系统、应用环境、系统漏洞或入侵类型，因此提供了一个通用的入侵检测专家系统的框架，我们称之为IDES。在我们的最终报告[1]中对ide的设计和应用进行了更详细的描述。

The model has six main components:

* 该模型有六个主要组成部分:

* Subjects: Initiators of activity on a target systemnornally users.

* 主体:在目标系统用户上活动的发起者。

* Objects: Resources managed by’ the system-files,commands, devices, etc.

* 对象:由系统文件、命令、设备等管理的资源。

* Audit records: Generated by the target system in response to actions performed or attempted by subjects on objects-user login, command execution, file access, etc.

* 审计记录:目标系统对主体对对象执行或尝试的操作(用户登录、命令执行、文件访问等)所产生的响应。

* Profiles: Structures that characterize the behavior or subjects with respect to objecfs in terms of statistical metrics and models of observed activity. Profiles are automatically generated and initialized from templates.

* 概要文件:根据观察到的活动的统计指标和模型，描述行为或主体与目标的关系的结构。配置文件从模板自动生成并初始化。

* Anomaly records: Generated when abnormal behavior is detected.

* 异常记录:检测到异常行为时产生。

* Activity rules: Actions taken when some condition is satisfied, which update profiles, detect abnormal behavior, relate anomalies to suspected intrusions, and produce reports.

* 活动规则:在满足某些条件时采取的动作，这些动作更新配置文件，检测异常行为，将异常与可疑入侵联系起来，并生成报告。

The model can be regarded as a rule-based pattern matching system. When an audit record is generated, it is matched against the profiles. Type information in the matching profiles then determines what rules to apply to update the profiles, check for abnormal behavior, and report anomalies detected. The security officer assists in establishing profile templates for the activities to monitor,but the rules and profile structures are largely system-independent.

该模型可以看作是一个基于规则的模式匹配系统。当审计记录生成时，它将与概要文件相匹配。然后，匹配的概要文件中的类型信息决定应用什么规则来更新概要文件，检查异常行为，并报告检测到的异常。网络安全人员协助为要监视的活动建立概要模板，但是主要的规则和概要结构由系统独立建立。

The basic idea is to monitor the standard operations ona target system: logins, command and program executions, file and device accesses, etc., looking only for deviations in usage. The model does not contain any special features for dealing with complex actions that exploit a known or suspected security flaw in the target system; indeed, it has no knowledge of the target system’s security mechanisms or its deficiencies. Although a flaw-based detection mechanism may have some value, it would be considerably more complex and would be unable to cope with intrusions that exploit deficiencies that are not suspected or with personnel-related vulnerabilities. By detecting the intrusion, however, the security officer may be better able to locate vulnerabilities.

其基本思想是监视目标系统的标准操作:登录、命令和程序执行、文件和设备访问等，只寻找使用中的偏差。该模型不包含任何利用目标系统中已知或怀疑的安全漏洞进行处理的复杂操作的特殊功能;实际上，它不知道目标系统的安全机制或缺陷。尽管基于缺陷的检测机制可能有一定的价值，但它要复杂得多，并且无法应对利用未被怀疑的缺陷或与人员相关的漏洞的入侵。而通过检测入侵，网络安全人员可能可以更好地定位漏洞。

The remainder of this paper describes the components of the model in more detail.

本文的其余部分将更详细地描述模型的组件。

III. SUBJECTS AND OBJECTS

3.主体和对象

Subjects are the initiators of actions in the target system. A subject is typically a terminal user, but might also be a process acting on behalf of users or groups of users,or might be the system itself. All activity arises through commands initiated by subjects. Subjects may be grouped into different classes (e.g., user groups) for the purpose of controlling access to objects in the system. User groups may overlap.

主体是目标系统中动作的发起者。主体通常是一个终端用户，但也可能是代表用户或用户组的进程，或者可能是系统本身。所有的活动都是由主体发出的命令引起的。为了控制对系统中对象的访问，可以将主体分成不同的类(例如，用户组)。用户组可能重叠。

Objects are the receptors of actions and typically include such entities as files, programs, messages, records,terminals, printers, and user- or program-created structures. When subjects can be recipients of actions (e.g.,electronic mail), then those subjects are also considered to be objects in the model. Objects are grouped into classes by type (program, text file, etc.). Additional structure may also be imposed, e.g., records may be grouped into files or database relations; files may be grouped into directories. Different environments may require different object granularity; e.g., for some database applications,granularity at the record level may be desired, wherea-s for most applications, granularity at the file or directory level may suffice.

对象是操作的受体，通常包括文件、程序、消息、记录、终端、打印机和用户或程序创建的结构等实体。当主体可以是动作的接收者(例如，电子邮件)时，那么这些主体也被认为是模型中的对象。对象按类型(程序、文本文件等)分组成类。附加的结构也可以被强加，例如，记录可以被分组到文件或数据库关系中;文件可以分组到目录中。不同的环境可能需要不同的对象粒度;例如，对于一些数据库应用程序，可能需要记录级的粒度，而对于大多数应用程序，文件或目录级的粒度可能就足够了。

IV. AUDIT RECORDS

4.审计记录

Audit Records are 6-tuples representing actions performed by subjects on objects:

<Subject, Action, Object, Exception-Condition,Resource-Usage, Time-stamp>

where

审核记录是6元组，代表主体对对象执行的操作：

<主体、动作、对象、异常条件、资源使用、时间戳>

即：

* Action: Operation performed by the subject on or with the object, e.g., login, logout, read, execute.

*动作:主体在对象上或与对象一起执行的操作，例如，登录，注销，读取，执行。

* Exception-Condition: Denotes which, if any, exception condition is raised on the return. This should be the actual exception condition raised by the system, not just the apparent exception condition returned to the subject.

*异常条件：表示在返回时可能存在的引发的异常条件。这应该是系统引发的实际异常情况，而不仅仅是返回给主体的明显异常情况。

* Resource-Usage: List of quantitative elements,where each element gives the amount used of some resource, e.g., number of lines or pages printed, number of records read or written, CPU time or I/O units used, session elapsed time.

*资源使用：指大量元素的列表，其中每个元素给出了某些资源的使用量，例如打印的行数或页数、读取或写入的记录数、处理器时间或I/O单元、会话占用时间。

* Time-stamp: Unique time/date stamp identifying when the action took place.

*时间戳：标识操作发生时间的唯一的时间或日期戳。

We assume that each field is self-identifying, either implicitly or explicitly, e.g., the action field either implies the type of the expected object field or else the object field itself specifies its type. If audit records are collected for multiple systems, then an additional field is needed for a system identifier.

我们假设隐式和显式的每个字段都是自识别的，例如，action字段要么暗含预期对象字段的类型，要么由对象字段本身指定其类型。如果为多个系统收集审计记录，则需要为系统标识符添加一个附加字段。

Since each audit record specifies a subject and object,it is conceptually associated with some cell in an “audit matrix” whose rows correspond to subjects and columns to objects. The audit matrix is analogous to the “accessmatrix” protection model, which specinfes the rights of subjects to access objects; that is, the actions that each subject is authorized to perform on each object. Our intrusion-detection model differs from the access-matrix model by substituting the concept of “action performed”(as evidenced by an audit record associated with a cell in the matrix) for “action authorized” (as specified by an access right in the matrix cell). Indeed, since activity is observed without regard for authorization, there is an implicit assumption that the access controls in the system permitted an action to occur. The task of intrusion detection is to determine whether activity is unusual enough to suspect an intrusion. Every statistical measure used for this purpose is computed from audit records associated with one or more cells in the matrix.

由于每个审计记录都指定了一个主题和对象，因此它在概念上与“审计矩阵”中的某个单元格相关联，该单元格的行对应主题，列对应对象。审计矩阵类似于“访问矩阵”保护模型，该模型规定了主体访问对象的权利；也就是说，它规定每个主体对每个对象可执行的操作。我们的入侵检测模型不同于访问矩阵模型，它将“已执行的操作”（由与矩阵中的单元格相关联的审计记录证明）的概念替换为“已授权的操作”（由矩阵单元格中的访问权指定）。事实上，由于观察活动时不考虑授权，因此存在一种隐含的假设，即系统中的访问控制允许发生操作。入侵检测的任务是确定活动是否异常到足以怀疑入侵。用于此目的的每个统计度量都是从与矩阵中的一个或多个单元格相关的审计记录中计算出来的。

Most operations on a system involve multiple objects.For example, file copying involves the copy program, the original file, and the copy. Compiling involves the compiler, a source program file, an object program file, and possibly intermediate files and additional source files referenced through “include” statements. Sending an electronic mail message involves the mail program, possibly multiple destinations in the “To!” and “cc” fields, and possibly “include” files.

系统上的大多数操作都涉及多个对象。例如，文件复制包括复制程序、原始文件和副本。编译包括编译器、源程序文件、目标程序文件，以及可能的中间文件和通过“include”语句引用的其他源文件。发送一个电子邮件涉及邮件程序，可能包括“收件人”中的多个目的地和“抄送”字段，可能还有“包含”文件。

Our model decomposes all activity into single-object actions so that each audit record references only one object. File copying, for example, is decomposed into an execute operation on the copy command, a read operation on the source file, and a write operation on the destination file. The following illustrates the audit records generated in response to a command COPY GAME.EXE TO GAME.EXE issued by user Smith to copy an executable GAME file into the directory; the copy is aborted because Smith does not have write permission to :

(Smith, execute, COPY. EXE, 0,CPU =00002, 11058521678)

(Smith, read, GAME.EXE, 0,RECORDS=O, 11058521679)

(Smith, write, < Library> GAME. EXE, write-viol,RECORDS=O, 11058521680)

我们的模型将所有活动分解为单个对象操作，以便每个审计记录只引用一个对象。例如，文件复制被分解为对复制命令的执行操作、对源文件的读取操作和对目标文件的写入操作。以下是用户Smith发布将可执行文件GAME从当前目录复制到目录下命令所生成的审计记录;因为Smith没有写入目录的权限，所以本次复制被终止:

（史密斯，执行，COPY.EXE，0，CPU=0000211058521678）

（史密斯，read，GAME.EXE，0，RECORDS=O，11058521679）

（史密斯，write，GAME.EXE，write viol，RECORDS=O，11058521680）

Decomposing complex actions has three advantages.First, since objects are the protectable entities of a system, the decomposition is consistent’ with the protection mechanisms of systems. Thus, IDES can potentially discover both attempted subversions of the access controls(by noting an abnormality in the number of exception conditions returned) and successful subversions (by noting an abnormality in the set of objects accessible to the subject).Second, single-object audit records greatly simplify the model and its application. Third, the audit records produced by existing systems generally contain a single object, although some systems provide a way of linking together the audit records associated with a “job step”(e.g., copy or compile) so that all files accessed duringexecution of a program can be identified.

分解复杂动作有三个优点。第一，由于对象是系统的可保护实体，因此分解与系统的保护机制是一致的。因此，IDE可以强有力地发现对访问控制的企图颠覆（通过注意返回的异常条件数量的异常）和成功颠覆（通过注意主体可访问的对象集的异常）。第二，单对象审计记录大大简化了模型及其应用。第三，尽管有些系统提供了一种将与“作业步骤”（例如，复制或编译）相关的审计记录链接在一起的方法，但现有系统生成的审计记录通常包含一个单一的对象，以便可以识别程序执行期间访问的所有文件。

The target system is responsible for auditing and for transmitting audit records to the intrusion-detection system for analysis (it may also keep an independent audit trail). The time at which audit records are- generated determines what type of data is available. If the audit record for some action is generated at the time an action is requested, it is possible to measure both successful and unsuccessful attempts to perform the activity, even if the action should abort (e.g., because of a protection violation) or cause a system crash. If it is generated when the action completes, it is possible to measure the resources consumed by the action and exception conditions that may cause the action to terminate abnormally (e.g., because of resource overflow). Thus, auditing an activity after it completes has the advantage of providing more information, but the disadvantage of not allowing immediate detection of abnormalities, especially those related to breakins and system crashes. Thus, activities such as login, execution of high risk commands (e.g., to acquire special “superuser” privileges), or access to sensitive data should be audited when they are attempted -so that penetrations can be detected immediately; if resource-usage data are also desired, additional auditing can be performed on completion as well. 'For example, access to a database containing highly sensitive data may be monitored when the access is attempted and then again when it completes to report the number of records retrieved or updated. Most existing audit systems monitor session activity at both initiation (login), when the time and location of login are recorded, and termination (logout), when the resources consumed during the session are recorded. They do not,however, monitor both the start and finish of command and program execution or file accesses. IBM’s System Management Facilities (SMF) [2], for example, audit only the completion of these activities.

目标系统负责审计，并将审计记录传输给入侵检测系统进行分析（它可能还可以保留独立的审计跟踪）。生成审核记录的时间决定了可用的数据类型。如果在请求某个操作时生成了某个操作的审核记录，即使该操作应该中止（例如，由于违反保护）或导致系统崩溃，也可以记录执行该活动的成功尝试和失败尝试。如果是在操作完成时生成的，则可以记录操作消耗的资源以及可能导致操作异常终止（例如，由于资源溢出）的异常情况。因此，在活动完成后对其进行审计的优点是可以提供更多信息，但缺点是不允许立即检测异常，尤其是与故障和系统崩溃相关的异常。因此，在尝试登录、执行高风险命令（例如，获取特殊“超级用户”权限）或访问敏感数据时，应审核这些活动，以便能够立即检测到渗透；如果还需要资源使用数据，也可以在完成时执行额外的审计。”例如，对包含高度敏感数据的数据库的访问可能会在尝试访问时被监控，然后在访问完成时再次监控，以报告检索或更新的记录数。大多数现有的审计系统都会在启动（登录）和终止（注销）时监控会话活动，启动（登录）时会记录登录的时间和位置，终止（注销）时会记录会话期间消耗的资源。但是，它们不监视命令和程序执行或文件访问的开始和结束。例如，IBM的系统管理设施（SMF）只审计这些活动的完成情况。

Although the auditing mechanisms of existing systems approximate the model, they are typically deficient in terms of the activities monitored and record structures generated. For example, Berkeley 4.2 UNIX monitors command usage but not file accesses or file protection violations. Some systems do not record all login failures.Programs, including system programs, invoked below the command level are not explicitly monitored (their activity is included in that for the main program). The level at which auditing should take place, however, is unclear,since too much auditing could severely degrade performance on the target system or overload the intrusion-detection system.

虽然现有系统的审计机制近似于该模型，但它们通常在监测的活动和生成的记录结构方面存在缺陷。例如，Berkeley 4.2 UNIX监视命令使用情况，但不监视文件访问或文件保护冲突。有些系统不会记录所有登录失败。在命令级别以下调用的程序（包括系统程序）没有被明确监控（它们的活动包括在主程序的活动中）。然而，由于过多的审计可能会严重降低目标系统的性能或使入侵检测系统过载，审计的级别划分尚不明确。

Deficiencies in the record structures are also present.Most SMF audit records, for example, do not contain a subject field; the subject must be reconstructed by linking together the records associated with a given job. Protection violations are sometimes provided through separate record formats rather than as an exception condition in a common record; VM password failures at login, for example, are handled this way (there are separate records for successful logins and password failures).

记录结构也存在缺陷。例如，大多数SMF审计记录不包含主题字段；必须通过链接与给定作业相关的记录来重建主题。保护冲突有时是通过单独的记录格式提供的，而不是作为一个公共记录的例外条件;例如，登录时的虚拟机密码失败是用这种方式处理的(登录成功和密码失败有单独的记录)。

Another problem with existing audit records is that they contain little or no descriptive information to identify the values contained therein. Every record type has its own structure, and the exact format of each record type must be known to interpret the values. A uniform record format with self-identifying data would be preferable so that the intrusion-detection software can be system-independent.This could be achieved either by modifying the software that produces the audit records in the target system, or by writing a filter that translates the records into a standard format.

现有审计记录的另一个问题是，它们仅包含很少或没有描述性信息来识别其中包含的值。每种记录类型都有自己的结构，每个记录类型都有自己的结构，并且必须知道每个记录类型的确切格式才能解释这些值。最好采用具有自识别数据的统一记录格式，使入侵检测软件具有系统独立性。这可以通过修改目标系统中生成审计记录的软件来实现，也可以通过编写一个将记录转换为标准格式的过滤器来实现。

V. PROFILES

5.配置文件

An activity profile characterizes the behavior of a given subject (or set of subjects) with respect to a given object(or set thereof), thereby serving as a signature or description of normal activity for its respective subject(s) and object(s). Observed behavior is characterized in terms of a statistical metric and model. A metric is a random variable x representing a quantitative measure accumulated over a period. The period may be a fixed interval of time(minute, hour, day, week, etc.), or the time between two audit-related events (i.e., between login and logout, program initiation and program termination, file open and file close, etc.). Observations (sample points ) xi of x obtained from the audit records are used together with a statistical model to determine whether a new observation is abnormal. The statistical model makes no assumptions about the underlying distribution of x; all knowledge about x is obtained from observations. Before describing the structure, generation, and application of profiles, we shall first discuss statistical metrics and models.

活动概况描述了给定主体(或一组主体)相对于给定客体(或一组客体)的行为，从而作为其各自主体和客体正常活动的签名或描述。观察到的行为以统计指标和模型为特征。度量是一个随机变量x，它代表了一段时间内累计的定量度量。周期可以是固定的时间间隔(分钟、小时、天、周等)，也可以是两个审计相关事件之间的时间间隔(即登录与注销之间、程序启动与程序终止之间、文件打开与文件关闭之间等)。从审计记录中获得的观察结果(样本点)xi 或x与统计模型一起使用，以确定新的观察结果是否异常。统计模型对x的基本分布不做任何假设;关于x的所有知识都是从观察中获得的。在描述配置文件的结构、生成和应用之前，我们首先讨论统计度量和模型。

A. Metrics
We define three types of metrics:

A.指标（路由度量值）

我们定义了三种类型的指标：

* Event Counter: x is the number of audit records satisfying some property occurring during a period (each audit record corresponds to an event). Examples are number of logins during an hour, number of times some command is executed during a login session, and number of password failures during a minute.

事件计数器：x是一段时间内发生的满足某些属性的审计记录数（每个审核记录对应一个事件）。例如，一小时内的登录次数、登录会话期间执行某些命令的次数，以及一分钟内密码失败的次数。

* Interval Timer: x is the length of time between two related events; i.e., the difference between the timestamps in the respective audit records. An example is the length of time between successive logins into an account.

*间隔计时器：x为两个相关事件之间的时间长度;即，各审计记录中的时间戳之间的差异。连续登录到一个帐户的时间长度就是一个例子。

* Resource Measure: x is the quantity of resources consumed by some action during a period as specified in the Resource-Usage field of the audit records. Examples are the total number of pages printed by a user per day and total amount of CPU time consumed by some program during a single execution. Note that a resource measure in our intrusion-detection model is implemented as an event counter or interval timer on the target system.

*资源度量：x是某个动作在审计记录的资源使用字段中指定的时间段内所消耗的资源数量。例如，一个用户每天打印的页面总数和某个程序在一次执行期间消耗的CPU总时间。请注意，我们的入侵检测模型中的资源度量是作为目标系统上的事件计数器或间隔计时器实现的。

For example, the number of pages printed during a login session is implemented on the target system as an event counter that counts the number of print events between login and logout; CPU time consumed by a program as an interval timer that runs between program initiation and termination. Thus, whereas event counters and interval timers measure events at the audit-record level, resource measures acquire data from events on the target system that occur at a level below the audit records. The Resource-Usage field of audit records thereby provides a means of data reduction so that fewer events need be explicitly recorded in audit records.

例如，在登录会话期间打印的页面数在目标系统上作为一个事件计数器实现，它计算登录和注销之间的打印事件数;一个程序所消耗的CPU时间，作为一个在程序启动和终止之间运行的间隔计时器。因此，事件计数器和间隔计时器在审计记录级别度量事件，而资源度量从目标系统上发生在审计记录以下级别的事件中获取数据。因此，审计记录的资源使用字段提供了一种数据缩减的方法，从而减少了需要在审计记录中明确记录的事件。

B. Statistical Models

B.统计模型

Given a metric for a random variable x and n observations x1, … , xn, the purpose of a statistical model of x is to determine whether a new observation xn+1 is abnormal with respect to the previous observations. The following models may be included in IDES:

给定随机变量x和n个观测值x1，…， xn, x的统计模型的目的是判断一个新的观测值xn+1相对于以前的观测值是否异常。以下模型可能包含在IDES中:

[IDES 的全称是 Internet Demonstration and Evaluation System (互联网演示和评估系统)]

1)Operational Model: This model is based on the operational assumption that abnormality can be decided by comparing a new observation of x against fixed limits.
Although the previous sample points for x are not used,presumably the limits are determined from prior observations of the same type of variable. The operational model is most applicable to metrics where experience has shown that certain values are frequently linked with intrusions. An example is an event counter for the number of password failures during a brief period, where more than 10, say, suggests an attempted break-in.

1)操作模型:该模型基于操作假设，通过将x的新观测值与固定极限进行比较，可以判断异常。

虽然没有使用之前的x样本点，但可以推测，极限是由之前对同一类型变量的观察确定的。操作模型最适用于经验表明某些值经常与入侵联系在一起的度量。一个例子是一个事件计数器，用于统计短时间内密码失败的次数，如果超过10次，则表示试图入侵。

2)Mean and Standard Deviation Model: This model is based on the assumption that all we know about x1,…,xn are mean and standard deviation as determined from its first two moments:

2)均值和标准差模型(Mean and Standard Deviation Model):该模型基于我们对x1，…，xn为均值和标准偏差，由其前两个时刻决定:

A new observation x. + 1 is defined to be abnormal if it falls outside a confidence interval that is d standard deviations from the mean for some parameter d:

mean ± d x stdev

如果一个新的观察值x. + 1落在距某个参数d的均值d个标准差的置信区间之外，则被定义为异常:

均值±dx标准差

By Chebyshev’s inequality, the probability of a value falling outside this interval is at most 1 /d2; for d = 4, for example, it is at most 0.0625. Note that 0 (or null) occurrences should be included so as not to bias the data.

根据切比雪夫不等式，一个值落在这个区间之外的概率最多为1 /d2;例如，对于d = 4，它最多为0.0625。请注意，应该包含0(或null)出现，以避免数据偏差。

This model is applicable to event counters-, interval timers, and resource measures accumulated over a fixed time interval or between two related events. It has two advantages over an operational model. First, it requires no prior knowledge about normal activity in order to set limits;instead, it learns what constitutes normal activity from its observations, and the confidence intervals automatically reflect this increased knowledge. Second, because the confidence intervals depend on observed data, what is considered to be normal for one user can be considerably different from another.

此模型适用于事件计数器、间隔计时器和在固定时间间隔或两个相关事件之间积累的资源度量。与可操作模式相比，它有两个优势。首先，它不需要关于正常活动的先验知识来设置限制;相反地，它从观察中学习什么构成了正常活动，并且置信区间会自动反映这些新增加的知识。其次，由于置信区间依赖于观察到的数据，某一个用户认知的正常的数据可能与另一个用户的有很大的不同。

A slight variation on the mean and standard deviation model is to weight the computations, with greater weights placed on more recent values.

对平均值和标准差模型的一个轻微变化是对计算进行加权，将更大的权重分给最靠近的值。

3)Multivariate Model: This model is similar to the mean and standard deviation model except that it is based on correlations among two or more metrics. This model would be useful if experimental data show that better discriminating power can be obtained from combinations of related measures rather than individually-e.g., CPU time and I/O units used by a program, login frequency, and session elapsed time (which may be inversely related).

3)多元模型:该模型与均值和标准差模型相似，但它是基于两个或多个指标之间的相关性。如果实验数据表明相关测度的组合比单独测度具有更好的判别能力，则该模型将是有用的。，程序使用的CPU时间和I/O单元、登录频率和会话运行时间(可能是负相关的)。

4)Markov Process Model: This model, which applies only to event counters, regards each distinct type of event(audit record) as a state variable, and uses a state transition matrix to characterize the transition frequencies between states (rather than just the frequencies of the individual states-i.e., audit records-taken separately). A new observation is defined to be abnormal if its probability as determined by the previous state and the transition matrix is too low. This model might be useful for looking at transitions between certain commands where command sequences were important.

4)马尔可夫过程模型(Markov Process Model):该模型仅适用于事件计数器，它将每一种不同类型的事件(审计记录)视为一个状态变量，并使用状态转移矩阵来表征状态之间的转移频率(而不仅仅是单个状态的频率——即。，单独记录审计记录)。如果一个新观测值的概率是由前一个状态决定的，且转移矩阵过低，则该观测值被定义为异常。该模型对于查看某些命令之间的转换可能很有用，其中命令序列很重要。

5)Time Series Model: This model, which uses an interval timer together with an event counter or resource measure, takes into account the order and interarrival times of the observations x1 ,… ，xn, as well as their values. A new observation is abnormal if its probability of occumng at that time is too low. A time series has the advantage of measuring trends of behavior over time and detecting gradual but significant shifts in behavior, but the disadvantage of being more costly than mean and standard deviation.

5)时间序列模型(Time Series Model):该模型使用间隔计时器和事件计数器或资源度量，考虑到观测的顺序和间隔时间x1,…, xn，以及它们的值。如果一个新的观测结果出现的概率太低，那么它就是异常的。时间序列的优点是测量行为随时间变化的趋势，并检测行为的逐渐但显著的变化，但缺点是比平均值和标准差成本更高。

Other statistical models can be considered, for example, models that use more than the first two moments but less than the full set of values.

其他统计模型也可以考虑使用，例如，使用多于前两个时刻但比全套值少的模型。

C. Profile Structure

c .概要文件结构

An activity profile contains information that identifies the statistical model and metric of a random variable, as w1 as the set of audit events measured by the variable.The structure of a profile contains 10 components, the first 7 of which are independent of the specific subjects and objects measured:
<Variable-Name, Action-Pattern, Exception-Pattern,Resource-Usage-Pattern, Period, Variable-Type,Threshold, Subject-Pattern, Object-Pattern, Value>

活动概要文件包含识别随机变量的统计模型和度量的信息，比如w1，即该变量度量的一组审计事件。一个配置文件(profile)的结构包含10个组件，前7个组件独立于被测量的特定主体和对象:

Subject- and Object-Independent Components:

独立于主体和对象的组件:

* Variable-Name: Name of variable.

*变量- 名:变量名。

* Action-Pattern: Pattern that matches zero or more actions in the audit records, e.g., “login,” “read,” “execute.”

*动作模式:匹配审计记录中的零个或多个动作的模式，例如“登录”、“读取”、“执行”。

* Exception-Pattern: Pattern that matches on the Exception-Condition field of an audit record.

*异常模式:匹配审计记录的异常条件（Exception-Condition）字段的模式。

* Resource-Usage-Pattern: Pattern that matches on the Resource-Usage field of an audit record.

*资源使用模式:与审计记录的资源使用字段匹配的模式。

* Period: Time interval for measurement, e.g., day,hour, minute (expressed in terms of clock units). This component is null if there is no fixed time interval; i.e.,the period is the duration of the activity.

*期:用于测量的时间间隔，例如，天，小时，分钟(以时钟单位表示)。如果没有固定的时间间隔，此组件为空;即，期是活动的持续时间。

* Variable-Type: Name of abstract data type that defines a particular type of metric and statistical model, e.g.,event counter with mean and standard deviation model.

*变量类型:定义特定类型的度量和统计模型的抽象数据类型的名称，例如，具有平均值和标准偏差模型的事件计数器。

* Threshold: Parameter(s) defining limit(s) used in statistical test to determine abnornality. This field and its interpretation is determined by the statistical model (Variable-Type). For the operational model, it is an upper (and possibly lower) bound on the value of an observation; for the mean and standard deviation model, it is the number of standard deviations from the mean.

*阈值:参数(s)定义的极限(s)在统计检验中用于确定异常。这个领域及其解释是由统计模型(Variable-Type)决定的。对于操作模型，它是一个观察值的上限(也可能是下限);对于均值和标准差模型，它是离均值标准差的个数。

Subject- and Object-Dependent Components:

依赖于主体和对象的组件:

* Subject-Pattern: Pattern that matches on the Subject field of audit records.

*Subject-Pattern:与审计记录的Subject字段匹配的模式。

* Object-Pattern: Pattern that matches on the Object field of audit records.

* Object-Pattern:匹配审计记录的Object字段的模式。

* Value: Value of current (most recent) observation and parameters used by the statistical model to represent distribution of previous values. For the mean and standard deviation model, these parameters are count, sum, and sum-of-squares (first two moments). The operational model requires no parameters.

*Value:统计模型使用的当前(最近)观察值和参数，以表示以前值的分布。对于均值和标准差模型，这些参数是计数、和和平方和(前两个矩)。操作模型不需要参数。

A profile is uniquely identified by Variable-Name, Subject-Pattern, and Object-Pattern. All components of a profile are invariant except for Value.

概要文件由变量名称、主题模式和对象模式唯一标识。除了值，概要文件的所有组件都是不变的。

Although the model leaves unspecified the exact format for patterns, we have identified the following SNOBOLlike constructs as being useful:

虽然模型没有指定模式的确切格式，但我们已经确定了以下类似snoboll的结构是有用的:

Examples of patterns are:

模式的例子有:

The following is a sample profile for measuring the quantity of output to user Smith’s terminal on a session basis. The variable type ResourceByActivity denotes a resource measure using the mean and standard deviation model.

下面是一个示例概要文件，用于测量用户Smith的终端在会话基础上的输出数量。ResourceByActivity类型的变量表示使用平均值和标准偏差模型的资源度量。

Variable-Name: SessionOutput

Action-Pattern: ‘logout’
Exception-Pattern: 0

Resource-Usage-Pattern: ‘SessionOutput=’ # - Amount
Period:

Variable-Type: ResourceByActivity
Threshold: 4

Subject-Pattern: ‘Smith’
Object-Pattern: *
Value: record of …

变量名 : 会话控制输出

动作模式 : ’ 注销’

异常模式 : 0

资源使用模式: ‘会话控制输出=’ # →数量

期:

变量类型 : 活动资源

阈值 : 4

主题模式 : ’ 史密斯’

对象模式 : *

值:记录…

Whenever the intrusion-detection system receives an audit record that matches a variable’s patterns, it updates the variable’s distribution and checks for abnormality. The distribution of values for a variable is thus derived—i.e.,learned-as audit records matching the profile patterns are processed.

每当入侵检测系统接收到与变量模式匹配的审计记录时，它就更新变量的分布并检查异常情况。当与配置文件模式匹配的审计记录被处理时，变量的值分布被导出。

D. Profiles for Classes

D. 配置文件类

Profiles can be defined for individual subject-object pairs (i.e., where the Subject and Object patterns match specific names, e.g., Subject “Smith” and Object “Foo”), or for aggregates of subjects and objects (i.e.,where the Subject and Object patterns match sets of names) as shown in Fig. 1. For example, file-activity profiles could be created for pairs of individual users and files,for groups of users with respect to specific files, for individual users with respect to classes of files, or for groups of users with respect to file classes. The nodes in the lattice are interpreted as follows:

配置文件可以被定义为单个的主体-对象对(例如，主体和对象模式匹配特定的名称，例如，主体“Smith”和对象“Foo”)，或者主体和对象的聚合(例如，主体和对象模式匹配名称集)，如图1所示。例如，可以为个别用户和文件对、针对特定文件的用户组、针对文件类的个别用户或针对文件类的用户组创建文件活动概要文件。格中的节点解释如下:

* Subject-Object: Actions performed by single subject on single object-e.g., user Smith-file Foo.

*主体-对象:单个主体在单个对象上执行的动作，例如用户Smith-file Foo。

* Subject-Object Class: Actions performed by single subject aggregated over all objects in the class. The class of objects might be represented as a pattern match on a subfield of the Object field that specifies the object’s type(class), as a pattern match directly on the object’s name(e.g., the pattern “*.EXE” for all executable files), or as a pattern match that tests whether the object is in some list (e.g., “IN(hit-list)”)

* 主体-对象类:单个主体聚合在类中的所有对象上执行的操作。对象的类可以表示为指定对象类型(类)的对象字段的子字段上的模式匹配，也可以表示为直接在对象名称上的模式匹配(例如:，模式“*. exe”用于所有可执行文件)，或者作为一个模式匹配来测试对象是否在某个列表中(例如，“in (hit-list)”)

* Subject Class-Object: Actions performed on single object aggregated over all subjects in the class-e.g.,privileged users-directory file < Library >, nonprivileged users-directory file < Library > .

* 主体类-对象:在类中所有主体聚合的单个对象上执行的动作，如特权用户-目录文件< Library >，非特权用户-目录文件< Library >。

* Subject Class-Object Class: Actions aggregated over all subjects in the class and objects in the class-privileged users-system files, nonprivileged users-system files.

* 主体类-对象类:聚合类中的所有主体和类特权用户系统文件、非特权用户系统文件中的对象的操作。

* Subject: Actions performed.by single subject aggregated over all objects-e.g., user session activity.

* 主体:执行的动作。由单个主体在所有对象上聚合而成，如用户会话活动。

* Object: Actions performed on a single object aggregated over all subjects-e.g., password file activity.

* 对象:在一个聚合了所有主题的对象上执行的操作，如密码文件活动。

* Subject Class: Actions aggregated over all subjects in the class-e.g., privileged user activity, nonprivileged user activity.

* 主体类:聚合在类中所有主题上的动作，如特权用户活动，非特权用户活动。

* Object Class: Actions aggregated over all objects in the class-e.g., executable file activity.

* 对象类:聚合在类中所有对象上的操作，如可执行文件活动。

* System: Actions aggregated over all subjects and objects.

*系统:聚合所有主体和对象的操作。

The random variable represented by a profile for a class can aggregate activity for the class in two ways:

由类的概要文件表示的随机变量可以通过两种方式聚合类的活动:

* Class-as-a-whole activity: The set of all subjects or objects in the class is treated as a single entity, and each observation of the random variable represents aggregate activity for the entity. An example is a profile for the class of all users representing the average number of logins into the system per day, where all users are treated as a single entity.

*作为整体的类活动:类中所有主体或对象的集合被视为单个实体，对随机变量的每次观察都代表实体的总体活动。一个示例：所有用户类的概要文件，表示每天登录到系统的平均数量，其中所有用户都被视为单个实体。

* Aggregate individual activity: The subjects or objects in the class are treated as distinct entities, and each observation of the random variable represents activity for some member of the class. An example’ is a profile for the class of all users characterizing the average number of logins by any one user per day. Thus, the profile represents a “typical” member of the class.

* 聚合个体活动:类中的主体或对象被视为不同的实体，对随机变量的每次观察代表类中某些成员的活动。一个示例：所有用户类别的概要文件，描述了任何一个用户每天的平均登录次数。因此，概要文件代表了类的一个“典型”成员。

Whereas class-as-a-whole activity can be defined by an event counter, interval timer, or resource measure for the class, aggregate individual activity requires separate metrics for each member of the class. Thus, it is defined in terms of the lower-level profiles (in the sense of the lattice) for the individual class members. For example, average login frequency per day is defined as the average of the daily total frequencies in the individual user login profiles. A measure for a class-as-a-whole could also be defined in terms of lower-level profiles, but this is not necessary.

虽然类作为一个整体的活动可以通过事件计数器、间隔计时器或类的资源度量来定义，但聚合的单个活动需要对类的每个成员进行单独的度量。因此，它是根据单个类成员的较低级概要(在格的意义上)定义的。例如，每天平均登录频率定义为每个用户登录配置文件中每天总登录频率的平均值。整个类的度量也可以根据较低级别的概要文件来定义，但是这不是必需的。

The two methods of aggregation serve difference purposes with respect to intrusion detection. Class-as-a-whole activity reveals whether some general pattern of behavior is normal with respect to a class. A variable that gives the frequency with which the class of executable program files are updated in the system per day, for example, might be useful for detecting the injection of a virus into the system(which causes executable files to be rewritten as the virus spreads). A frequency distribution of remote logins into the class of dial-up lines might be useful for detecting attempted break-ins.

在入侵检测方面，两种聚合方法的目的不同。作为一个整体的类的活动揭示了对于一个类来说，某种一般的行为模式是否正常。例如，一个给出可执行程序文件类每天在系统中更新频率的变量可能对检测病毒是否注入系统很有用(病毒会导致可执行文件在病毒传播时被重写)。远程登录到拨号线路类的频率分布可能有助于检测试图入侵。

Aggregate individual activity reveals whether the behavior of a given user (or object) is consistent with that of other users (or objects). This may be useful for detecting intrusions by new users who have deviant behavior from the start.

聚合个体活动揭示给定用户(或对象)的行为是否与其他用户(或对象)的行为一致。这对于从一开始就有异常行为的新用户检测入侵可能是有用的。

《An Intrusion-Detection Model》翻译相关推荐

《Git版本控制管理（第2版）》——4.3　Git在工作时的概念
本节书摘来自异步社区<Git版本控制管理(第2版)>一书中的第4章,第4.3节,作者:[美]Jon Loeliger , Matthew McCullough著,更多章节内容可以访问云栖社 ...
【Git版本控制管理】Gitee(码云)和GitHub的使用
远程仓库的使用文章目录远程仓库的使用使用码云(Gitee) 使用GitHub 远程仓库是指托管在因特网或其他网络中的你的项目的版本库. 你可以有好几个远程仓库,通常有些仓库对你只读,有些则可以读 ...
java中git版本控制,git版本控制管理是什么？git如何实现版本控制？
大家好,今天要跟大家讲的是关于git版本控制管理的一点小知识,git相信程序员小伙伴们都已经很熟悉了,很多项目开发都需要git,所以,git版本控制管理到底是干嘛的呢?Git又如何实现版本控制呢?下面 ...
Git 版本控制管理(一)
Git 是一个分布式版本控制工具,它的作者 Linus Torvalds 是这样给我们介绍 Git -- The stupid content tracker(傻瓜式的内容跟踪器) 关于 Git 的 ...
Git版本控制管理——简介
说明在大型项目开发或者多人协作开发时,都希望可以对软件代码进行管理和追踪,以便确认开发的进度和方便问题追溯.这就需要使用到版本控制系统(VCS),比如Git就是一款很优秀的版本控制工具.如今很多项目 ...
3.git版本控制-管理修改、撤销、删除
管理修改第一次修改 -> git add -> 第二次修改 -> git commit,Git管理的是修改,当你用git add命令后,在工作区的第一次修改被放入暂存区,准备提交, ...
Git版本控制管理——远程版本库
之前提到的Git的所有操作都是在本地完成的,而实际项目开发并不是一个人就可以搞定的,通常需要团队的协作,而这些协作可能又不是在同一个地区的,这就涉及到Git的分布式特性了. Git的分布式特定会涉及到 ...
Git版本控制管理(二)--git配置
在系统上安装好 Git后,还需要配置Git 环境. 每台计算机上只需要配置一次,程序升级时会保留配置信息,也可以在任何时候再次通过运行命令来修改它们. 配置文件位置 Git 自带一个 git conf ...
Git版本控制管理——版本库管理
本文主要说明如何发布Git仓库. 发布版本库对于Git来说,服务器并不是必需的.Git更乐于与同一台机器上的同级版本库直接交换文件,而不需要某个服务器来进行代理,或通过各种不需要上级服务器的协议与不 ...
Git版本控制管理——基本Git概念
基本概念版本库 Git版本库(repository)只是一个简单的数据库,其中包括所有用来维护与管理项目的修订版本和历史信息.而Git版本不仅会维护项目整个生命周期的完整副本,还会提供版本库本身的副 ...

《An Intrusion-Detection Model》翻译

《An Intrusion-Detection Model》翻译相关推荐

最新文章

热门文章