Computer Security Threat Monitoring and Surveillance

Inclusion of the actual standard deviation values and the mean plus
or minus 2.58 times the standard deviation of each of the major
parameters was to simplify the computation and to make the program
run a little faster. It is certainly feasible to compute this
data each time it is required; however, with the large number of
records, the computation time becomes excessive, and the value of
storing it in the record itself becomes a little more apparent.
The accounting data available in the model system does not show
the number of read and write operations to each data set that is
referred to in the file data set list. If this data were available,
the totals, the standard deviations, and the sum of squares information
could be augmented by this data to provide a finer grain of detail in
the audit history record. It would then be possible to make an
exception report for and of those items that exceeded the bounds
around the mean for each file rather than treating them in aggregate
as shown in this particular format.
5.2 Other Surveillance Tools
It is understood that the customer's SMF data is kept on-line for one
day and then written out to tape(s) for longer-term storage. In addi­
tion to the standard exception reporting program outlined in this paper,
it must be possible for the security officer to look at the detail records
associated with a particular user, a particular terminal, a particular
job, or a particular file, in order to produce in detail the time
sequence of operations actually performed during the job or session.
It is not suggested that detailed time sequences of operation be performed
for every user at all times; rather, it has been found necessary in order
to in greater detail what is going on, to be able to examine the individual