Professional Documents
Culture Documents
Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia
Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia
Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia
Detection
Anita Jones
Robert Sielken
University of Virginia
Introduction
• Intrusion Detection
– determining whether or not some entity, the
intruder, has attempted to gain, or has gained
unauthorized access to the system
• Intruder Types
– External
– Internal -- our greater concern
T o ll M a n a g e m e n t C e n t e r
T o ll P la z a T o ll P la z a T o ll P la z a O t h e r D e v ic e s
T o ll L a n e T o ll L a n e T o ll L a n e T o ll L a n e T o ll L a n e
Threat Specific
Methods Relations
Categories Intrusions
• Annoyance (3 methods)
• Steal Electronic Money (10 methods)
• Steal Vehicle (4 methods)
• Device Failure (1 method)
• Surveillance (2 methods)
August 99 Application Intrusion Detection 17
ETC Intrusion - Steal Service
Rel Relation Execution
Relation Steal Service
# Description Location
No tag Packet filter
and Copy that discards
cover tag all a tag's
plate packets
1 Tag vs. Historical (Time) (stat) TBP/TMC X
4 Tag vs. Historical (Sites) (stat) TMC X
5 Tag vs. Time (rule) TMC X
9 Tag vs. Axles (rule) TBL X X X
25 Unreadable Tags (stat) TBP/TMC X
5 relations 3 methods
August 99 Application Intrusion Detection 18
Health Record Management (HRM)
• Components
– Patient Records
– Orders – lists of all requests for drugs,
tests, or procedures
– Schedule – schedule for rooms for patient
occupancy, laboratory tests, or surgical
procedures (does not include personnel)
• Users
– doctors, laboratory technicians, and nurses
August 99 Application Intrusion Detection 19
HRM - App’n Specific Intrusions
Threat Specific
Methods Relations
Categories Intrusions
• Annoyance (4 methods)
• Steal Drugs (1 method)
• Patient Harm (6 methods)
• Surveillance (2 methods)
August 99 Application Intrusion Detection 20
HRM - Patient Harm Intrusion
Rel Relation
Relation Patient Harm
# Description
Admin. an Allergic
Perform Needless
Admin. Too Much
Admin. Improper
Order Needless
Admin. Wrong
Procedure
of Drug
Drugs
Drug
Drug
Diet
2 Drug vs. Allergy (rule) X X
5 Drug vs. Diet (rule) X X
8 Drug vs. Historical (dosage) (stat) X X
Patient Test Results vs. Test
24 (stat) X X X X
Results (Historical)
4 relations 6 methods
August 99 Application Intrusion Detection 21
Relate OS IDS to App IDS
• Similarities • Differences
– detect intrusions by – anomaly detection using
evaluating relations to statistical and rule-based
differentiate between app’n relations
anomalous and normal – internal intruders/abusers
behavior – event causing entity
– centralized or decentralized • outside system
(hierarchical) – resolution -- finer grain
– similar threat categories
– tightness of thresholds