METAL - A tool for extracting attack manifestations
Paper in proceedings, 2005

As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.

Automated attack analysis

log data

system calls

intrusion detection

Author

Ulf Larson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Emilie Lundin Barse

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Erland Jonsson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005

85-102
3-540-26613-5 (ISBN)

Subject Categories

Computer Engineering

ISBN

3-540-26613-5

More information

Created

10/6/2017