Computer systems are inherently non-secure. The large number of new vulnerabilities that are announced each month underscore this. The categories of flaws in software and computer systems have not changed in 20 years. This is partially due to poor software review and quality assurance procedures. Also, it is difficult to test a fielded system for security problems. The underlying problem with this shortcoming is that intruders use these flaws to compromise computer systems. Common motivations for these intrusions are students and others “joy-riding” on computer systems, software piracy (and industrial and governmental espionage. There have even been assertions that rival academic research groups have broken into their competitor’s computers to steal data and algorithms. In the coming age of petabyte computing, the integrity of a data archive will be paramount as there may be only one copy of the data due to its size. An intruder could freely manipulate the archive and cause researchers to use data mining on that archive to reach incorrect conclusions.
Given these threats, we need ways to protect our computer systems in order to assure the confidentiality, integrity, and availability of our data. Currently, prevention is limited to known classes of security problems. Thus, we would like to detect intrusions as they occur in order to protect our systems and to discover new vulnerabilities. Given that we can detect intrusions and stop them, we need to analyze the methods used by the intruder to discover previously unknown attacks and techniques of violating security, in order to determine how to detect and counter them. With this information, we can improve our defenses.
Unfortunately, we usually do not find these new vulnerabilities unless the intruder is unskilled or careless. A moderately skillful intruder can go unnoticed for many months on the typical computer system because most sites do not collect sufficient audit data to analyze. Audit trails, when they are collected, are usually kept on local storage to which the intruder will have access. Most intruders erase their tracks upon finding these audit trails. Additionally, there are few sites that have the expertise required to detect or analyze an intrusion. Thus, after the fact, there is rarely anything one can do to reconstruct the actions that an intruder has taken on a computer system.