An intrusion detection-centric taxonomy and survey of data log mechanisms

Journal article, 2006

The quality of log data is vital to the intrusion detection process. At the same time, it is very much affected by the capturing mechanism. Despite this, little research on the log mechanism itself is found in intrusion detection literature. With a few exceptions, log data discussions are reduced to a discussion concerning what type of data, e.g. host or network, is used as input to the detection system. This paper discusses the properties of the log mechanisms or intrusion detection input data. A detailed survey is made, where 44 log mechanisms are investigated. An extensive appendix provides both detailed information about each mechanism and references to the source of information for the mechanism. A taxonomy of log mechanism properties is produced. The taxonomy is used for classifying the 44 log mechanisms surveyed. The taxonomy and classification provide a useful overview of which mechanisms can be used when certain intrusion detection input data is needed. It will also indicate where little work has been done and where it is useful to direct future research. From observations of the classification we have identified a set of desirable properties for future log mechanisms. We have concluded that a useful log mechanism should be able to log multiple log data types, be dynamically configurable during runtime and be able to insert log triggering at arbitrary locations and with arbitrary granularity.