A model of security monitoring

Abstract

A formal model of security monitoring that distinguishes two different methods of recording information (logging) and two different methods of analyzing information (auditing) is presented. From this model, implications for the design and use of security monitoring mechanisms are drawn. The model is then applied to security mechanisms for statistical databases, monitoring mechanisms for computer systems, and backups, in order to demonstrate its usefulness. It is concluded that the proposed model of logging and auditing is comprehensive enough to encompass very different schemes used in a variety of contexts. For example. Statistical database query control and file access monitoring systems do not seem to be related, and yet they create closely related security problems, and the mechanisms designed to improve the security of one will also improve the security of the other.<>