2.1.3 The central security management service

Back in the fifties programmers already tried to create machines that showed some form of intelligence. About twenty years -- and many failures -- later, researchers moved away from the temptation to create truly intelligent machines and they started focusing on systems that reasoned with specialized rather than general knowledge, the so-called expert systems [VAN97, pp.6-26]. In order to solve a particular problem these systems use a computer representation of an expert's knowledge and try to simulate his reasoning. The expert in this case would be a security manager or security consultant and the problem a security incident.

As opposed to traditional programming languages expert systems explicitly keep program data separated from program logic:

``The knowledge of an expert system consists of facts and heuristics. The "facts" constitute the body of information that is widely shared, publicly available, and generally agreed upon by experts in the field. The "heuristics" are mostly private, little-discussed rules of good judgment (rules of plausible reasoning, rules of good guessing) that characterize expert-level decision making in the field.'' [HAR85]

In our model, the facts are produced by a system that feeds data about the security environment to a database and the heuristics reflect security expert knowledge and are stored in a rule-base. The database and the rule-base together form the knowledge base. Heuristic reasoning is triggered by events observed by the monitor application.

We can further distinguish between expert logic and procedural logic (see table 2.1): the expert logic reflects the heuristics described above, the procedural logic is the action to be taken by the system as a result of its reasoning. Procedural logic in our model is mainly executed by the decision enforcement applications.

 

Table 2.1: Expert logic versus procedural logic

expert logic	procedural logic
which procedural logic to execute when	actions to invoke upon data
IF <conditions>	THEN <actions>

The heart of the reasoning system is called the inference engine. The inference engine is a program that combines and applies relevant data, facts, and rules in the knowledge base to reach a goal or to draw a conclusion based on relevant data. The inference engine dynamically identifies and executes knowledge structures to accomplish its established goals or operate on the relevant data [TRI94, p.1-20]. This means that the knowledge based system (KBS) will try and identify the data it needs to get to a specific conclusion or action^2.4. The rules in the rule base that reflect the expert knowledge tell it where to go look for additional information if necessary. If the system cannot find this data in the database, it selects an appropriate monitor object to provide it with the required information. It knows what object to consult from the rule-base and a table of available functionality (see section 2.2).

A security management service can exist of several security engines, each covering a particular aspect of an organization's security requirements. The engines are ``experts'' in fields like computer security, network security or physical access control and intrusion detection. Each of the engines has access to its own private rule- and database(s). Security engines may interact with each other through a set of standard APIs.

A security management service has a security domain for which it is responsible. According to ISO terminology, the security management service would be a security authority:

``A security authority is responsible for the implementation of a security policy. A security policy is a high-level set of rules that govern security-relevant activities of one or more sets of elements (where an element might, for example, be a network component or a computer). A security policy applies within a security domain, and may also cover interactions between domains. A security domain is a set of elements governed by a given security policy administered by a single security authority for some specific security-relevant activities.'' [ISO96a] & [MIT98, p.2-6]

A security domain can be regarded as the scope of a single security policy. A security policy is also defined in ISO 7498-2 as ``the set of criteria for the provision of security services'' [MIT98, p.0-6]. A security domain is typically a set of processing and communication resources belonging to one organization [FOR94, p.14]. Not unlike security engines, security management services from different domains can interoperate and communicate through standardized interfaces. This is further discussed in paragraph 2.1.7 on page .

The security management service provides a shell around the engines incorporating the APIs. The APIs enable the peripheral systems to communicate with the security management service and vice versa (see the section on the AS-API, p. ). Based on the information it retrieves about the functions supported by the peripheral applications and devices the management system can build a table of functions and corresponding API calls. By scanning the rule base it can build a table of functions that are required by the rule base to provide security. By comparing the two tables it becomes clear if functionality lacks. This modular approach allows for easy expansion of the security system.

Footnotes

... action^2.4

A very interesting discussion on the use of artificial intelligence methods and heuristic reasoning in intrusion detection systems can be found in [FRA94].