| 摘要 |
Detection policies must be viewed as delicate and valuable assets in a system. Given the knowledge of the detection policy, an intruder would potentially know how to penetrate the target systems and how to circumvent a Security Policy Enforcement System to avoid detection of his actions. The policies need to be protected from reverse engineering in order to be useful in the context of secure policies (i.e. to prevent disclosure of the detection policy). This invention address the problem of protecting the detection policy in a Security Policy Enforcement System against disclosure to unauthorized persons. The invention protects a detection policy by utilising an irreversible transform function, such as an one-way function or a public/secret encryption scheme, to transform the states of a Security Policy Enforcement System finite-state machine. The Security Policy Enforcement System executes/operates these transformed states and state transitions, which means that it is impossible to study its function by use of so called reverse engineering. The input data to the Security Policy Enforcement System will control the execution path of state transitions to an end-state/access-state. In the end-state, the Security Policy Enforcement System will generate a response, if the detection policy have been violated or not. The invention relates to a security device, to a method for creating a Security Policy Enforcement System performing classification of input events in accordance with a predefined rule-base of detection policy elements, to a method for intrusion detection in a computer and information system having a Security Policy Enforcement System and to computer program products for implementing said methods. <IMAGE> |
