Family behaviour
This family defines requirements for automated means that analyse system activity and audit data looking for possible or real security violations. This analysis may work in support of intrusion detection, or automatic response to an imminent security violation.
The actions to be taken based on the detection can be specified using the FAU_ARP family as desired.
Component levelling
In FAU_SAA.1 Potential violation analysis, basic threshold detection on the basis of a fixed rule set is required.
In FAU_SAA.2 Profile based anomaly detection, the TSF maintains individual profiles of system usage, where a profile represents the historical patterns of usage performed by members of the profile target group. A profile target group refers to a group of one or more individuals (e.g. a single user, users who share a group ID or group account, users who operate under an assigned role, users of an entire system or network node) who interact with the TSF. Each member of a profile target group is assigned an individual suspicion rating that represents how well that member's current activity corresponds to the established patterns of usage represented in the profile. This analysis can be performed at runtime or during a post-collection batch-mode analysis.
In FAU_SAA.3 Simple attack heuristics, the TSF shall be able to detect the occurrence of signature events that represent a significant threat to TSP enforcement. This search for signature events may occur in real-time or during a post-collection batch-mode analysis.
In FAU_SAA.4 Complex attack heuristics, the TSF shall be able to represent and detect multi-step intrusion scenarios. The TSF is able to compare system events (possibly performed by multiple individuals) against event sequences known to represent entire intrusion scenarios. The TSF shall be able to indicate when a signature event or event sequence is found that indicates a potential violation of the TSP.
Management: FAU_SAA.1
The following actions could be considered for the management functions in FMT:
a) maintenance of the rules by (adding, modifying, deletion) of rules from the set of rules.
Management: FAU_SAA.2
The following actions could be considered for the management functions in FMT:
a) maintenance (deletion, modification, addition) of the group of users in the profile target group.
Management: FAU_SAA.3
The following actions could be considered for the management functions in FMT:
a) maintenance (deletion, modification, addition) of the subset of system events.
Management: FAU_SAA.4
The following actions could be considered for the management functions in FMT:
a) maintenance (deletion, modification, addition) of the subset of system events;
b) maintenance (deletion, modification, addition) of the set of sequence of system events.
Audit: FAU_SAA.1, FAU_SAA.2, FAU_SAA.3, FAU_SAA.4
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
a) Minimal: Enabling and disabling of any of the analysis mechanisms;
b) Minimal: Automated responses performed by the tool.