Here we list several of the more useful conditions [13] that assist in detecting and responding to intrusion and misuse and they allow more efficient utilization of security services, such as authentication, audit, and notification.
This condition specifies an authenticated access identity. If a policy does not require authenticated user identity, authentication steps can be ignored or deferred until the policy explicitly requests it. An example of a policy, which is not concerned with the identity is "anyone can read file 5#5 if $10 is paid".
This condition specifies the authentication mechanism or set of suitable mechanisms for authentication. Strong user authentication method (e.g., Kerberos [14]) can be activated in response to suspicious behavior.
This condition specifies time periods for which access is granted.
This condition specifies location of the user. Authorization is granted to the users residing on specific hosts, domains, or networks.
This condition specifies a currency and an amount that must be paid prior to accessing an object.
This condition specifies a currency and a limit. It limits the quantity of a resource that can be consumed or obtained.
This condition enables automatic generation of audit data in response to access requests. An audit record should include sufficient information to establish what event occurred and what caused the event.
This condition enables automatic generation of notification messages (alerts) in response to access requests. Specifies the receiver and the notification method.
This condition specifies allowable threshold.
This condition specifies the system threat level.
Failure of some of these conditions may signal suspicious behavior. For example, access is requested at unexpected times or unusual locations, violations of user quotas, repeated failure of access attempts and exceeding a threshold. Some conditions can trigger defensive measures in response to perceived system threat level. For example, impose a limit on resource consumption, advanced payment for the allocated resources or increased auditing. In the case of insider misuse (particularly if the intruder's identity has been established) it may be appropriate to let the attacks continue under special conditions. For example, it may be desirable to initiate data collection mechanisms to gather detailed information about user activities that could serve as evidence for possible prosecutions.
The combination of conditions of different types can be used to fine tune audit and notification services. The audit detail and number of alarms should be sensitive to the system threat profile. For example, low system threat level should result in reduced alarm level and amount of generated audit data. It should also depend on the sensitivity of the requested operation and target object.