Simply having an access control system is not enough to secure sensitive information and resources. Those access control systems must be continuously monitored to ensure they are working properly and that no unauthorized user has been granted access. Access control reporting can take the form of real-time alerts sent to systems administrators notifying them of a breach in progress or after-the-fact tabulations of access control activity over a period of time.

There are several primary goals achieved through monitoring and reporting on an access control system:

• Accuracy: To be useful, a monitoring system must have a high level of accuracy. Authorized users must be granted access reliably, and unauthorized users must be denied access. Unfortunately, no system is 100% accurate and will have a rate of both false positives and false negatives. False positives occur when a system labels normal activity as anomalous. False negatives occur when a system overlooks anomalous activity.
• Variety: A monitoring system must be able to detect many types of suspicious activity.
• Timeliness: The system must report suspicious activity quickly enough for systems administrators to cut off an attack in progress.
• Ease of use: The system’s reporting facility must create reports that are easy to read and understand.

An intrusion detection system (IDS) is a hardware- or software-based solution that monitors network traffic, looking for signs of a security breach. Intrusion detection systems are based on several models of anomalous behavior:

• Anomaly detection: Anomaly detection operates on two core principles: What is known is good, and what is unusual is bad. Therefore, any activity that is unknown must be reported as suspicious. Early anomaly detection systems were based on statistical models of system behavior. Any activity that fell outside of a standard deviation from that model was considered anomalous. Later, models were proposed that were based on logic-based descriptions of system behavior. Modern anomaly detection applications use a hybrid approach to compute an anomaly score. Any activity that generates a score higher than a predetermined acceptable level is flagged. An IDS based on anomaly detection requires a period of training to create a baseline of normal system behavior.
• Misuse detection: This model operates on a simple premise: What is bad is known. This type of IDS compares activity with a blacklist of known suspicious events. This type of intrusion detection has the benefit of being useful immediately upon installation. A misuse detection IDS includes a large database of known attack signatures. The system compares system activity with these attack signatures and triggers an alert on a matching event.
• Specification detection: This model is similar to misuse detection, except that it operates on a whitelist principle instead of a blacklist. Whitelist principles are: We know what is good, and what is not good is bad. Any behavior that does not correspond to predefined specifications must be considered suspicious. A specification detection system will describe the range of normal system and application behaviors and will trigger an alert on any activity that does not fall within normal ranges.

The major difference between specification detection and anomaly detection lies in how each system knows what normal behavior is. An anomaly detection system observes system behavior over a period of time and then uses statistical and logical models to create a baseline. A specification detection IDS uses a behavior modeling language to describe what activities and behaviors developers and systems administrators expect under normal circumstances.