On Adapting Data Collection to Intrusion Detection

Doctoral thesis, 2009

Intrusion detection systems (IDSs) are capable of detecting both suspicious insider activity and attacks from external penetrators. They can also detect both known and previously unknown attacks. These capabilities make them valuable assets in the protection of computer systems and networks. The work in this thesis focuses on intrusion detection and in particular on data collection for intrusion detection. Data collection is the first, and possibly most important, activity in the overall intrusion detection process, and the result of the detection process can never be better than the data on which the detection is based. However, intrusion detection tends to consume large resources in terms of computing power and data storage. It is thus highly desirable to reduce the amount of data collected as much as possible while still keeping the data that are necessary for detecting attacks, the so-called attack manifestations. My objective has been to develop techniques that assist in this process. Thus, I have developed an attack analysis tool that automatically extracts log elements generated by attacks and a decision support system that provides suitable configurations for data collection mechanisms. By using these tools, I demonstrate that only few of the events in log files are generated by attacks and that, by properly selecting events that will be collected, it is possible to achieve a significant reduction in log file sizes while still keeping the manifestations. In the thesis, I also study how data collection and intrusion detection can be adapted to road vehicles. Road vehicles are becoming increasingly connected to external, possibly untrusted networks, and a security analysis of modern road vehicles reveals that they are vulnerable to digital attacks. I have therefore suggested techniques for how data collection and intrusion detection can be used to assist forensic investigations that involve such attacks. Taken together, the observations in the thesis emphazises aspects of adapting data collection to intrusion detection, in particular how it can be used to reduce the amount of data collected, and how it can be used to assist investigation of digital crime against road vehicles.