This section is from the book "Computer Security Threat Monitoring And Surveillance", by James P. Anderson.
In many installations, the internal penetration is more frequent than external penetrations. This is true for a variety of reasons, not the least of which is the internal penetrator has overcome a major barrier to unauthorized access? that is, the ability to gain use of a machine. Again for the purpose of identifying possible means of detection through audit trails, three classes of users can be identified. These are:
a. The masquerader.
b. The legitimate user.
c. The clandestine user.
The user classes are shown in an order of increasing difficulty in detecting their activity through audit trail data. The ability, to detect activity of each category of user from audit data varies, in some cases considerably; hence the breakdown.
As indicated in the diagram, the masquerader is an internal user by definition. He can be any category of individual; either an external penetrator who has succeeded in penetrating the installation access controls, or an employee without full access to a computer system, or possibly an employee with full access to a computer system who wishes to exploit another legitimate users identification and password that he may have obtained.
This case is interesting because there is no particular feature to distinguish the masquerader from the legitimate user. Indeed, with possession of the proper user identifier and.password, he is a legitimate user as far as the computer system is concerned. Masquerade is interesting in that it is by definition an "extra" use of a system by the unauthorized user. As such it should be possible to detect instances of such use by analysis of audit trail records to determine: a. Use outside of normal time b. Abnormal frequency of use c. Abnormal volume of data reference d. Abnormal patterns of reference to programs or data.
As will be discussed in the subsequent section, the operative word is "abnormal" which implies that there is some notion of what "normal" is for a given user.
In attempting to detect masquerade, a surveillance system focuses on the legitimate user as the resource being "protected". In other types of surveillance the resource being protected may be other elements of the system such as devices, specific files and databases or programs and the like.
Quite obviously the masquerader can have as his intent any of the various stated purposes of penetration. Again, since his use of a system will be extra, that is in addition to normal use by a user of the same user number, this extra use can or should be detectable.
The legitimate user as a threat to information resources is a case of misfeasance in that it involves the misuse of authorized access both to the system and to its data. Since the user is authorized to use the system, the audit trail records would not be expected to exhibit any abnormal patterns of reference, logon times and so forth. It is for this reason that the degree of difficulty in detecting "abnormal" use by a legitmate user of a system is more difficult than the preceding case. There maybe no "extra" use of resources that can be of help in detecting the activity.
It must be recognized that small amounts of misuse of authorized access would not be detected under any circumstance. As an instance, if the authorized user misuses his authority slighty, to print Snoopy calendars or to extract two extra records of data that he is otherwise authorized to use, a statistically satisfactory method of detecting such minor abnormalities is probably not feasible.
If the legitimate user makes use of his authorized access to refer to or gain access to information that is normally not authorized in the conduct of his job, the audit trail should be able to reflect this. Similarly, if the authorized user misuses his access to gain large amounts of information by transferring many records or use an "excessive" amount of computer time, this too should be detectable. Initially, it may not be possible to detect a difference between a case of misfeasance and a masquerade. In general, it would be expected that the masquerade would show up as an anomaly in the time of use of a system whereas misfeasance would show up by one or more of the parameters total time used, or data transferred exceeding previously established norms.
The clandestine user is quite possibly the most difficult to detect by normal audit trail methods. The assumption regarding clandestine users is that the user has or can seize supervisory control of the machine and as such can either operate below the level at which audit trail data is taken or can use privileges or system primitives to evade audit trail data being recorded for him. As far as most audit trail information is concerned, the clandestine user is "the little man who isn't there". There is nothing that can be done to detect this type of user unless he activates his clandestine operations in a masquerade or as misfeasance of a legitmate user that may then create individual records that show up under those categories of use.
The clandestine user who effects a technical penetration to obtain control of the most privileged state the computer system, is not capable of being audited. Where the threat of such penetrations is considered high it would be possible to augment the internal auditing mechanisms of the individual computer with external measurements of busy or idle states of the CPU, the memory, secondary storage and so forth, and from this additional data possibly (a very weak possibly) detect "pure" phantom use.