Reducing system call logs with selective auditing

Paper in proceeding, 2005

Event auditing today is a resource consuming process. Rapidly increasing performance of hardware results in event production at a faster rate. Complex software, multiprogramming and extensive connectivity between software components makes it both difficult and resource demanding to discriminate between malicious and benign system events. Thus, an exhaustive auditing approach is not feasible and there is need for a more efficient solution. We propose a method called selective auditing, where only a specific subset of system events are recorded. This will significantly reduce the required amount of auditing and will produce smaller audit logs of higher quality. We illustrate the benefits of the selective auditing method by executing four buffer overflow attacks and show that the logs generated by selective auditing are significantly reduced in size while still giving the same detection rate.