Definition
Intrusion Detection
Intrusion detection is the monitoring of system events to identify and respond to malicious activities or security policy violations.
Techniques
Threshold Detection
Identifying events that exceed a defined frequency (e.g., too many failed login attempts).
Profile-based Detection
Comparing current user activity against a “typical” behavioural profile.
Anomaly Detection
Using rules to detect deviations from expected system behaviour.
Audit Records
Audit Log Structure
The OS maintains audit records containing:
Field Description Subject Who performed the action Action What was done Object Which resource was accessed Exception Conditions Whether the action succeeded or failed Resource Usage CPU time, memory used Timestamp When the event occurred
Reference Monitor
Reference Monitor
A kernel component mediating all access to objects. It maintains an access rights database and logs events for the security audit.