Home > Articles > Security > Network Security

From the author of

4: Characterize Expected Process and User Behavior

When a system operates, users run programs at specific times or under certain circumstances. To fully characterize that behavior, it's necessary to know who runs what programs and when those programs routinely run, and to have some notion of the resources that the programs consume. For example, if a program claiming to be the disk backup program runs at 10:00 a.m. on a weekday and consumes 28MB of virtual memory, is this normal behavior?

Document the procedure to verify that the processes executing on the organization's systems are operating only as expected and attributed only to authorized activities of users, administrators, and system functions. The type of information to capture includes process and user data described in Table 1.

Some products are emerging that begin to provide this information. Examples include Emerald from SRI and Nabou. These tools can help an administrator understand more about process behavior.

Comparing previous process and user information with current information allows an administrator to determine whether any process is behaving in an unexpected or suspicious manner.

  • + Share This
  • 🔖 Save To Your Account