Intrusion Detection Requirements
An
intrusion detection requirement is any
security
requirement that specifies a required amount of intrusion
detection, which is a
quality factor that is defined as follows:
- Intrusion Detection
- 1)
adj.[quality factor] the degree to which attempted
or successful access or modification by intruders (i.e.,
unauthorized individuals or programs) is detected, recorded,
and notified.
- 2)
n. the means by which intrusion is detected,
recorded, and notified.
- 3)
v. the process of detecting, recording, and
notification of intrusion.
The typical objectives of an intrusion detection requirement
are to ensure that:
- Attempted and successful intrusions are detected.
- Relevant information about the detected intrusions is
properly recorded
- Security and operations personnel are properly notified
about the intrusions in a timely manner.
Intrusion detection requirements are typically specified in
terms of the following measurements:
- Minimum percentage of successful intrusions
detected.
- Minimum percentage of unsuccessful intrusions
detected.
The following are typical examples of intrusion detection
requirements:
- “The application shall detect and record all
attempted accesses that fail required identification,
authentication, and authorization.”
- “The application shall daily notify the data center
security officer of all failed attempted accesses during the
previous 24 hours.”
- “The application shall notify the data center
security officer within 5 minutes of any repeated failed
attempt to access the employee and corporate financials
databases.”
The following are examples of intrusion detection
requirements from the Global Personal Marketplace (GPM) system,
a global Web-based marketplace bringing together private
individuals and small companies to buy and sell all manner of
items:
- Repeated Authentication Failure:
- Detection— “A minimum of
99.99% of the time, the GPM shall detect and record each
attempted intrusion by an unauthenticated user.
- Notification— “A minimum of
99.99% of the time, the GPM shall notify the security
officer within one minute if it cannot successfully
verify the user’s identity in less than four
attempts within any one-hour period.
- Authorization Failure:
- Detection— “A minimum of
99.99% of the time, the GPM shall detect and record each
attempted intrusion by an unauthorized user.
- Notification— “A minimum of
99.99% of the time, the GPM shall notify the security
officer within one minute if any actor attempts to
perform a use case for which it is unauthorized.
The following guidelines have been found to be useful when
producing intrusion detection requirements:
- The scope of an intrusion detection requirement can be:
- Intrusion detection requirements depend on
identification, authentication, and authorization
requirements.
- Intrusion detection requirements can be quantified by
specifying the minimum percentage of the time that attempted
intrusions will be detected and that security will be
notified.
- Intrusion detection requirements should
not be specified in terms of the types of
security architecture mechanisms that are typically used to
implement them:
- Alarms.
- Event Reporting.
- Use of a specific commercial-off-the-shelf (COTS):
- Intrusion Detection System (IDS).
- Intrusion Prevention System (IPS).