Раздел: Документация
0 ... 7 8 9 10 11 12 13 ... 117 3.3 Security audit analysis (FAU SAA) Family behaviour This family defines requirements for automated means that analyse system activity and audit data looking for possible or real security violations. This analysis may work in support of intrusion detection, or automatic response to an imminent security violation. The actions to be taken based on the detection can be specified using the FAU ARP family as desired. Component levelling FAUSAA Security audit analysis  2 1 3 4 In FAUSAA. 1 Potential violation analysis, basic threshold detection on the basis of a fixed rule set is required. In FAUSAA.2 Profile based anomaly detection, the TSF maintains individual profiles of system usage, where a profile represents the historical patterns of usage performed by members of the profile target group. A profile target group refers to a group of one or more individuals (e.g. a single user, users who share a group ID or group account, users who operate under an assigned role, users of an entire system or network node) who interact with the TSF. Each member of a profile target group is assigned an individual suspicion rating that represents how well that members current activity corresponds to the established patterns of usage represented in the profile. This analysis can be performed at runtime or during a post-collection batch-mode analysis. In FAUSAA.3 Simple attack heuristics, the TSF shall be able to detect the occurrence of signature events that represent a significant threat to TSP enforcement. This search for signature events may occur in real-time or during a post-collection batch-mode analysis. In FAUSAA.4 Complex attack heuristics, the TSF shall be able to represent and detect multi-step intrusion scenarios. The TSF is able to compare system events (possibly performed by multiple individuals) against event sequences known to represent entire intrusion scenarios. The TSF shall be able to indicate when a signature event or event sequence is found that indicates a potential violation of the TSP. Management: FAUSAA.1 The following actions could be considered for the management functions in FMT: a) maintenance of the rules by (adding, modifying, deletion) of rules from the set of rules. Management: FAUSAA.2 The following actions could be considered for the management functions in FMT: a) maintenance (deletion, modification, addition) of the group of users in the profile target group. Management: FAUSAA.3 The following actions could be considered for the management functions in FMT: a) maintenance (deletion, modification, addition) of the subset of system events. Management: FAUSAA.4 The following actions could be considered for the management functions in FMT: a)maintenance (deletion, modification, addition) of the subset of system events; b)maintenance (deletion, modification, addition) of the set of sequence of system events. Audit: FAUSAA.1, FAUSAA.2, FAUSAA.3, FAUSAA.4 The following actions should be auditable if FAUGEN Security audit data generation is included in the PP/ST: a)Minimal: Enabling and disabling of any of the analysis mechanisms; b)Minimal: Automated responses performed by the tool. FAU SAA.1 Potential violation analysis Hierarchical to: No other components. FAU SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP. FAU SAA.1.2 The TSF shall enforce the following rules for monitoring audited events: a)Accumulation or combination of [assignment: subset of defined auditable events] known to indicate a potential security violation; b)[assignment: any other rules]. Dependencies: FAUGEN.1 Audit data generation FAUSAA.2 Profile based anomaly detection Hierarchical to: FAUSAA.1 FAUSAA.2.1 The TSF shall be able to maintain profiles of system usage, where an individual profile represents the historical patterns of usage performed by the member(s) of [assignment: the profile target group]. FAUSAA.2.2 The TSF shall be able to maintain a suspicion rating associated with each user whose activity is recorded in a profile, where the suspicion rating represents the degree to which the users current activity is found inconsistent with the established patterns of usage represented in the profile. FAUSAA.2.3 The TSF shall be able to indicate an imminent violation of the TSP when a users suspicion rating exceeds the following threshold conditions [assignment: conditions under which anomalous activity is reported by the TSF]. Dependencies: FIAUID.1 Timing of identification FAUSAA.3 Simple attack heuristics Hierarchical to: FAU SAA.1 FAUSAA.3.1 The TSF shall be able to maintain an internal representation of the following signature events [assignment: a subset of system events] that may indicate a violation of the TSP. FAUSAA.3.2 The TSF shall be able to compare the signature events against the record of system activity discernible from an examination of [assignment: the information to be used to determine system activity]. FAUSAA.3.3 The TSF shall be able to indicate an imminent violation of the TSP when a system event is found to match a signature event that indicates a potential violation of the TSP. Dependencies: No dependencies. FAUSAA.4 Complex attack heuristics Hierarchical to: FAU SAA.3 FAUSAA.4.1 The TSF shall be able to maintain an internal representation of the following event sequences of known intrusion scenarios [assignment: list of sequences of system events whose occurrence are representative of known penetration scenarios]and the following signature events [assignment: a subset of system events] that may indicate a potential violation of the TSP. FAUSAA.4.2 The TSF shall be able to compare the signature events and event sequences against the record of system activity discernible from an examination of [assignment: the information to be used to determine system activity]. FAUSAA.4.3 The TSF shall be able to indicate an imminent violation of the TSP when system activity is found to match a signature event or event sequence that indicates a potential violation of the TSP. Dependencies: No dependencies. 0 ... 7 8 9 10 11 12 13 ... 117
|
