Reducing system call logs with selective auditing
Paper in proceeding, 2005

Event auditing today is a resource consuming process. Rapidly increasing performance of hardware results in event production at a faster rate. Complex software, multiprogramming and extensive connectivity between software components makes it both difficult and resource demanding to discriminate between malicious and benign system events. Thus, an exhaustive auditing approach is not feasible and there is need for a more efficient solution. We propose a method called selective auditing, where only a specific subset of system events are recorded. This will significantly reduce the required amount of auditing and will produce smaller audit logs of higher quality. We illustrate the benefits of the selective auditing method by executing four buffer overflow attacks and show that the logs generated by selective auditing are significantly reduced in size while still giving the same detection rate.

system calls

Intrusion detection

data reduction

auditing

Author

Ulf Larson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Erland Jonsson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Nordic Workshop on Secure IT Systems (NordSec)

122-131
9949-11-153-6 (ISBN)

Subject Categories

Computer Engineering

ISBN

9949-11-153-6

More information

Created

10/6/2017