A Comparison of Alternative Audit Sources for Web Server Attack Detection
Paper in proceedings, 2007
Most intrusion detection systems available today are using
a single audit source for detecting all attacks, even
though attacks have distinct manifestations in different
parts of the system. In this paper we carry out a theoretical investigation of the role of the audit source for the detection capability of the intrusion detection system (IDS). Concentrating on web server attacks, we examine the attack manifestations available to intrusion
detection systems at different abstraction layers, including
a network-based IDS, an application-based IDS, and
finally a host-based IDS.
Our findings include that attacks indeed have different
manifestations depending on the audit source used. Some
audit sources may lack any manifestation for certain attacks, and, in other cases contain only events that are indirectly connected to the attack in question. This, in turn, affects the reliability of the attack detection if the intrusion detection system uses only a single audit source for collecting security-relevant events. Hence, we conclude that using a multisource detection model increases the probability of detecting a range of attacks directed toward the web server. We also note that this model should account for the detection quality of each attack / audit stream to be able to rank alerts.
Keywords: intrusion detection, attack manifestations