Definition
Intrusion Detection
Intrusion detection is the monitoring of system events to identify and respond to malicious activities or security policy violations.
Techniques
- Threshold Detection: Identifying events that exceed a certain frequency (e.g., too many failed login attempts).
- Profile-based Detection: Comparing current user activity against a “typical” behavioral profile.
- Anomaly Detection: Using a set of rules to detect deviations from expected system behavior.
Audit Records
To support detection, the OS maintains audit records (logs) containing:
- Subject: Who performed the action.
- Action: What was done.
- Object: Which resource was accessed.
- Exception Conditions: Whether the action succeeded or failed.
- Resource Usage: CPU time, memory used.
- Timestamp: When the event occurred.
Reference Monitor
The Reference Monitor is a kernel component that mediates all access to objects. It relies on an access rights database and is responsible for logging events for the security audit.