Enhanced Correlation in an Intrusion Detection Process - Computer Network Security - page 160

Information Technology Reference

In-Depth Information

Action touch ( Agent, F ile )

Detectime: timestamp

Pre: OperatingSystem ( OS )

Post: file ( File ) ,

authorized ( Agent, read, F ile ),

authorized ( Agent, write, F ile )

Action block ( Agent, Printer )

Detectime: timestamp

Pre: printer ( Printer ) ,

physical access ( Agent, Printer ) ,

not( blocked ( Printer ))

Post: blocked ( Printer )

Action lpr - s ( Agent, Printer, F ile )

Detectime: timestamp

Pre: printer ( Printer ) ,

file ( File ) ,

authorized ( Agent, read, F ile ) ,

OperatingSystem ( OS )

Post: queued ( F ile, Printer )

Action remove ( Agent, F ile )

Detectime: timestamp

Pre: authorized ( Agent, write, F ile ) ,

file ( File )

Post: not ( file ( File ))

Action ln - s ( Agent, Link, F ile )

Detectime: timestamp

Pre: not ( file ( Link ))

OperatingSystem ( OS )

Post: linked ( Link, F ile )

file ( File )

Action unblock ( Agent, Printer )

Detectime: timestamp

Pre: printer ( Printer ) ,

blocked ( Printer ) ,

physical access ( Agent, Printer )

Post: not ( blocked ( Printer ))

Action print - process ( Printer, Link )

Detectime: timestamp

Pre: queued ( Link, Printer ) ,

linked ( Link, F ile ) ,

not ( blocked ( Printer ))

Post: printed ( Printer, F ile ) ,

not ( queued ( Link, Printer ))

Action get - file ( Agent, F ile, Printer )

Detectime: timestamp

Pre: printed ( Printer, F ile ) ,

physical access ( Agent, Printer )

Post: read access ( Agent, F ile )

Fig. 1. Definition of actions used in the illegal file access scenario

Next Page

Computer Network Security

Search WWH ::

Custom Search

Home