On the Fundamentals of Analysis and Detection of Computer Misuse

Doktorsavhandling, 1999

Most computerized information systems we use in our everyday lives provide very little protection against hostile manipulation. At the same time, there is a rapidly increasing dependence on services provided by these computer systems and networks, and security is thus not only an interesting and challenging research discipline but has indeed developed into a critical issue for society. This thesis presents research focused on the fundamental technical issues of computer misuse, aimed at manual analysis and automatic detection. The objective is to analyze and understand the technical nature of security threats and, on the basis of this, develop efficient generic methods that can improve the security of existing and future systems. The work is performed from the perspective of system and information owners, a different approach compared to the many previous studies that focus on system developers only. The analysis is based mainly on empirical data from student experiments but also uses data from a security analysis, data recorded from a network server and data produced for an intrusion detection evaluation project. Throughout this work, systematic categorization of data has been used as the main method for data analysis. The results of this work include new findings about the behavior of so-called insider attackers, a dangerous but sometimes neglected security threat. For systems that include commercial off-the-shelf components, underlying causes of system vulnerabilities are identified and discussed, a systematic procedure for vulnerability remediation is developed and a risk management strategy is proposed. Furthermore, the aspects of computer misuse that are fundamental for automatic detection are identified and analyzed in detail. The efficiency and usability of a generic expert system tool for automatic misuse detection is verified empirically. A general database format for documenting attack types and for automatically updating detection tools is outlined.