- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
4: Characterize Expected Process and User Behavior
When a system operates, users run programs at specific times or under certain circumstances. To fully characterize that behavior, it's necessary to know who runs what programs and when those programs routinely run, and to have some notion of the resources that the programs consume. For example, if a program claiming to be the disk backup program runs at 10:00 a.m. on a weekday and consumes 28MB of virtual memory, is this normal behavior?
Document the procedure to verify that the processes executing on the organization's systems are operating only as expected and attributed only to authorized activities of users, administrators, and system functions. The type of information to capture includes process and user data described in Table 1.
Comparing previous process and user information with current information allows an administrator to determine whether any process is behaving in an unexpected or suspicious manner.