Chapter 20 Detection Methods

accidental or malicious security incidents must be detected
accidents: limited in length & breadth; reported quickly, not covered up
malicious: disguised, broad-based (many systems), ongoing if not detected

Detection: monitor the system & detect anomalies or activities that indicate a break-in and report it.
signature analysis: compare log data with predefined attack signatures. Only known attack methods detectable.
static-state analysis: vulnerabitlity & configurution analyses
dynamic analysis: determine if an attack (suspicious activities) is underway

vulnerability profiles: list of known vulnerabilities; compared to system with scanner
system profiles: model of the processes, users, activities expected on a system compared to actual statistics.
network profiles: maount & type of traffic to estavlish normal work patterns. detect abnormalities.
user profiles: detect deviation fr standard behavior of user.
attack profiles: artifacts (fingerprints) left by (attempted) attack; in logs.
self-monitoring profiles: IDS monitors itself

Offline methods: analyze system while not operational
configuration & system scanning for vulnerabilities (eg. virus scan)

Online methods: evaluate state info from operation of the system