This section is from the book "Computer Security Threat Monitoring And Surveillance", by James P. Anderson.
The basic premise of this study is that it is possible to characterize the use of a computer system by observing the various parameters available through audit trails, and to establish from these observations, "normal" ranges for the various values making up the chaxacterizations.
Considering the problem of characterizing use of a computer the first issue that must be faced is what unit or units should be used to represent how a computer is used. It appears that the most natural unit of computer use is the notion of job in batch running or session in interactive working. Both of these terms denote a continuous unit or a single unit of use of a computer with a well defined beginning and a well defined end. The parameters that distinguish one unit from another are the user identifiers on whose behalf they are operated and the list of the program and (where available) data files entering into the program.
It should be noted that if the resource being monitored is the file or device that the notion of job or session as the principal parameter of characterization may not make much sense. In these instances, a list of references by user identifier or program (if such information is available) is the principal parameters of characterization of such use.