HostedDB - Dedicated UNIX Servers
intrusion_37 ICSA, Inc. For more information, call 888-396-8348                 37 An Introduction to Intrusion Detection and Assessment or undesired activity. Common data sources include (but are not limited to) raw network packets, oper- ating system audit logs, application audit logs, and system-generated checksum data. EVENT - A notification from an analyzer to the security administrator a signature has triggered. An event typically contains information about the activity that triggered the signature, as well as the specifics of the occurrence. FILE ASSESSMENT - A technology in which message digest hashing algorithms are used to render files and directories tamper evident. INCIDENT HANDLING - The part of the Security Management Process concerning the investigation and resolution of security incidents that occur and are detected. Also known as INCIDENT RESPONSE. INTRUSION DETECTION - The technology concerned with monitoring computer systems in order to recognize signs of intrusions or policy violations. MANAGER - The ID component from which the security administrator manages the various com- ponents of the ID system. Management functions typically include (but are not limited to) sensor configuration, analyzer configuration, event noti- fication management, data consolidation, and reporting. MESSAGE DIGEST ALGORITHMSSpecialized cryp- tographic algorithms that are used to render files tamper-evident. The nature of message digest algorithms dictates that if an input data file is changed in any way, the checksum that is calculated from that data file value calculated will change. Furthermore, a small change in the input data file will result in a large difference in the result. RESPONSE - The actions that an analyzer takes when a signature is triggered. Sending an event notification to the security administrator is a very common response. Other responses include (but are not limited to) logging the activity, recording the raw data (from the data source) that caused the signature to trigger, terminating a network, user, or application session, or altering network or system access controls. SCANNING - The technology concerned with scan- ning computer systems and networks in order to find security vulnerabilities. Also known as VULNERABILITY ASSESSMENT. SECURITY ADMINISTRATOR - The human with respon- sibility for the successful deployment and opera- tion of the intrusion detection system. This person may ultimately charged with responsibility for the defense of the network. In some organizations, the security administrator is associated with the network or systems administration groups. In other organizations, it’s an independent position. SENSOR - The ID component that periodically collects data from the data source. Also known as AGENT.* SIGNATURE - A rule used by the analyzer to identify interesting activity to the security administrator. Signatures are the mechanism by which ID sys- tems detect intrusions. SYSTEM LOG - The log of system events and ac- tivities, generated by a system process. The system log is typically at a greater degree of abstraction than the operating system audit log. VULNERABILITY ASSESSMENT - The technology concerned with scanning computer systems and networks in order to find security vulnerabilities. Also known as SCANNING. * In many existing ID systems, the sensor and the analyzer are part of the same component.