AS ISO/IEC 15947—2004

ISO/IEC TR 15947:2002
AS ISO/IEC 15947

Australian Standard™
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Information technology—Security
techniques—IT intrusion detection
framework
 This Australian Standard was prepared by Committee IT-012, Information
systems—Security and identification technology. It was approved on behalf of the
Council of Standards Australia on 29 January 2004 and published on
17 March 2004.

The following are represented on Committee IT-012:

Attorney General’s Department
Australian Association of Permanent Building Societies
Australian Bankers Association
Australian Chamber of Commerce and Industry
Australian Electrical and Electronic Manufacturers Association
Australian Information Industry Association
Certification Forum of Australia
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Department of Defence (Australia)

Department of Social Welfare New Zealand
Government Communications Security Bureau, New Zealand
Internet Industry Association
NSW Police Service
New Zealand Defence Force
Reserve Bank of Australia

Keeping Standards up-to-date

Standards are living documents which reflect progress in science, technology and
systems. To maintain their currency, all Standards are periodically reviewed, and
new editions are published. Between editions, amendments may be issued.
Standards may also be withdrawn. It is important that readers assure themselves
they are using a current Standard, which should include any amendments which
may have been published since the Standard was purchased.
Detailed information about Standards can be found by visiting the Standards Web
Shop at www.standards.com.au and looking up the relevant Standard in the on-line
catalogue.
Alternatively, the printed Catalogue provides information current at 1 January each
year, and the monthly magazine, The Global Standard, has a full listing of revisions
and amendments published each month.
Australian StandardsTM and other products and services developed by Standards
Australia are published and distributed under contract by SAI Global, which
operates the Standards Web Shop.
We also welcome suggestions for improvement in our Standards, and especially
encourage readers to notify us immediately of any apparent inaccuracies or
ambiguities. Contact us via email at mail@standards.org.au, or write to the Chief
Executive, Standards Australia International Ltd, GPO Box 5420, Sydney, NSW
2001.

This Standard was issued in draft form for comment as DR 03548.

 AS ISO/IEC 15947—2004

Australian Standard™
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Information technology—Security
techniques—IT intrusion detection
framework

First published as AS ISO/IEC 15947—2004.

COPYRIGHT
© Standards Australia International
All rights are reserved. No part of this work may be reproduced or copied in any form or by any
means, electronic or mechanical, including photocopying, without the written permission of the
publisher.
Published by Standards Australia International Ltd
GPO Box 5420, Sydney, NSW 2001, Australia
ISBN 0 7337 5764 2
 ii

PREFACE

This Standard was prepared by the Australian members of the Joint Standards Australia/Standards
New Zealand Committee IT-012, Information systems—Security and identification technology. After
consultation with stakeholders in both countries, Standards Australia and Standards New Zealand
decided to develop this Standard as an Australian, rather than an Australian/New Zealand Standard.
This Standard is identical with, and has been reproduced from ISO/IEC TR 15947:2002, Information
technology—Security techniques—IT intrusion detection framework.
The objective of this Standard is to provide a framework for detection of intrusions in IT systems.
As this Standard is reproduced from an international standard, the following applies:
(a) Its number appears on the cover and title page while the international standard number appears
only on the cover.
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

(b) In the source text ‘this Technical Report (TR)’ should read ‘this Australian Standard’.
(c) A full point substitutes for a comma when referring to a decimal marker.
References to International Standards should be replaced by references to Australian or
Australian/New Zealand Standards, as follows:

Reference to International Standard Australian Standard

ISO/IEC TR AS
13335 Information technology— 13335 Information technology—
Guidelines for the management of Guidelines for the management of
IT Security IT Security
13335-1 Part 1: Concepts and models for IT 13335.1 Part 1: Concepts and models for IT
Security Security
13335-2 Part 2: Managing and planning IT 13335.2 Part 2: Managing and planning IT
Security Security
13335-3 Part 3: Techniques for the 13335.3 Part 3: Techniques for the
management of IT Security management of IT Security
13335-4 Part 4: Selection of safeguards 13335.4 Part 4: Selection of safeguards
13335-5 Part 5: Management guidance on 13335.5 Part 5: Management guidance on
network security network security
 iii

CONTENTS

Page

1 Scope.................................................................................................................................................1
2 References.........................................................................................................................................2
3 Terms and Definitions...................................................................................................................2
4 Introduction to Intrusion Detection ...................................................................................................2
4.1 The Need for Intrusion Detection..............................................................................................2
4.2 Types of Attacks .......................................................................................................................3
4.2.1 Host-based Attacks............................................................................................................4
4.2.2 Network-based Attacks .....................................................................................................4
5 Generic Model of Intrusion Detection Process .............................................................................4
5.1 Data Sources .............................................................................................................................5
5.2 Event Detection.........................................................................................................................6
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

5.3 Analysis.....................................................................................................................................6
5.4 Response ................................................................................................................................. 7
5.5 Data Storage............................................................................................................................ 7
6 Characteristics of Intrusion Detection............................................................................................. 7
6.1 Data Source............................................................................................................................. 8
6.1.1 Host-based....................................................................................................................... 8
6.1.2 Network-based ................................................................................................................ 9
6.2 Event Detection and Analysis Frequency................................................................................ 9
6.2.1 Continuous/Near Real-Time............................................................................................ 9
6.2.2 Periodically/Batch Processed .......................................................................................... 9
6.2.3 Initiated Only Under Special Circumstances................................................................... 9
6.3 Intrusion Detection Analysis ................................................................................................... 9
6.3.1 Misuse-based...................................................................................................................10
6.3.2 Anomaly-based................................................................................................................10
6.4 Response Behavior..................................................................................................................10
6.4.1 Passive.............................................................................................................................10
6.4.2 Active..............................................................................................................................10
7 Architecture Considerations............................................................................................................11
8 Management of an IDS ...................................................................................................................12
8.1 Configuration Management.....................................................................................................12
8.1.1 Detection Function ..........................................................................................................12
8.1.2 Response Function ..........................................................................................................12
8.2 Security Services Management ...............................................................................................12
8.3 Integration with Other Management Systems..........................................................................12
8.4 Security of Management Operations ......................................................................................13
8.4.1 Authentication .................................................................................................................13
8.4.2 Integrity...........................................................................................................................13
8.4.3 Confidentiality.................................................................................................................13
8.4.4 Availability......................................................................................................................13
8.5 Management Model ................................................................................................................13
9 Intrusion Detection Analysis ...........................................................................................................14
9.1 Signature Analysis...................................................................................................................14
9.2 Statistical Approach ................................................................................................................15
9.3 Expert Systems........................................................................................................................16
9.4 State-transition Analysis..........................................................................................................16
9.5 Neural Networks .....................................................................................................................16
9.6 User Anomalous Behavior Identification ................................................................................16
9.7 Hybrid Analysis ......................................................................................................................16
9.8 Other .......................................................................................................................................16
10 Implementation and Deployment Issues......................................................................................17
10.1 Efficiency ................................................................................................................................17
10.2 Functionality ...........................................................................................................................17
 iv

Page

10.3 Personnel for IDS Deployment and Operation..........................................................................18

10.4 Other Implementation Considerations.....................................................................................18
11 Intrusion Detection Issues ...........................................................................................................19
11.1 Intrusion Detection and Privacy..............................................................................................19
11.2 Sharing of data on intrusions...................................................................................................20
11.3 Future Standardization ............................................................................................................21
12 Summary .....................................................................................................................................21
Bibliography ...................................................................................................................................22
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.
 1

AUSTRALIAN STANDARD

Information technology — Security techniques — IT intrusion detection

framework

1 Scope
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

This is a Type 3 Technical Report (TR), which defines a framework for detection of intrusions in IT
systems. Many classes of intrusions are considered. These include intrusions that are intentional or
unintentional, legal or illegal, harmful or harmless and unauthorized access by insiders or outsiders. The
TR focuses on:

• establishing common definitions for terms and concepts associated with an IT intrusion detection
framework,

• describing a generic model of intrusion detection,

• providing high level examples of attempts to exploit systems vulnerabilities,

• discussing common types of input data and the sources needed for an effective intrusion detection
capability,

• discussing different methods and combinations of methods of intrusion detection analysis,

• describing activities/actions in response to indications of intrusions.

This framework explains intrusion detection terms and concepts and describes the relationship among
them. Further, the framework addresses possible ordering of intrusion detection tasks and related
activities.

This TR provides the basis for a common understanding of intrusion detection. This material aims to
assist IT managers to deploy within their organizations Intrusion Detection Systems (IDS) that interact
and work together. This TR should facilitate collaboration among organizations across the world where
collaboration is desired and/or essential to counter intrusion attempts.

This framework document is not intended to cover every possible detail involved in intrusion detection,
such as detailed attack patterns, or statistical anomalies, or the many configurations that an IDS could
have.

www.standards.com.au  Standards Australia

 This is a free preview. Purchase the entire publication at the link below:

AS ISO/IEC 15947-2004, Information technology -

Security techniques - IT intrusion detection
framework
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Looking for additional Standards? Visit SAI Global Infostore

Subscribe to our Free Newsletters about Australian Standards® in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?

Learn about other SAI Global Services:

LOGICOM Military Parts and Supplier Database

Metals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us