An intrusion detection model

Denning, D. E. 1987. An intrusion detection model. IEEE Transactions of Software Engineer-
ing 13, 2, 222 - 232.

The model denning arrived at was for a generic purpose which could cater to any kind of environment and system vulnerability and the type of intrusion. He believed that most of the intrusions could be identified from the audit records that is created by the intrusion detection system. He proposed a model in lines of the IDES and claimed it to work well.

The model proposed by him was expected to cater to the following list of intrusions
1. attempted break-in
2. masquerading or successful break-in
3. penetration by legitimate user
4. leakage by legitimate user
5. Inference by legitimate user
6. Trojan horse
7. Virus
8. Denial of service

Model proposed by him:

Since his model was a general purpose one, he called it as an intrusion-detection expert system (IDES). The six main components of his model includes the following:
subjects
objects
audit records
profiles
anomaly records
activity rules

Denning also describes various metrics and statistical models using the audit records could be analyzed for detecting anomalies

The metrics defined are:

1. event counter - number of audit records satisfying some property occurring during a period
2. interval timer - length of time between two related events
3. resource measure - quantity of resources consumed by some action during a period as specified in the Resource-Usage field of the audit records.

Statistical models proposed include the following:

1. Operational model
2. Mean and standard deviation model
3. Multivariate model
4. Markov Process model
5. Time series model

In this paper, in addition to defining metrics and models, Denning also elaborates on the various profiles of data that could be generated for different sessions.

Thus this data could be used for designing intrusion detection system test cases