Aspects of Adapting Data Collection to Intrusion Detection
Licentiatavhandling, 2006

The focus of this thesis is on data collection and in particular data collection for intrusion detection purposes. Data collection is the first, and possibly most important activity in the overall intrusion detection process. The result of the detection can never be better than the data on which the detection is based. One of the main problems in this respect is that the amount of data is too large to be readily processed and significant data reduction is needed early on in the detection process. Consequently, I have developed the Manifestation Extraction Tool for Analysis of Logs (METAL). METAL extracts useful log items, manifestations, from collected data while discarding redundant log items. Identifying manifestations for a specific attack is fundamental as the manifestations hold the information that is needed for detecting the attack. The operation of the METAL tool is based on differential analysis between log data captured during attack activity and corresponding normal activity. The tool will not only provide a set of manifestations, but will also provide a significant reduction in data. In an experiment with buffer overflow attacks and data from system call logs, a data reduction rate of 95\% was achieved. The thesis also studies the relationship between data collection mechanism characteristics and log data, i.e. which types of data can be logged by a specific mechanism. This will in turn provide information on which attacks can be detected using data from a certain mechanism. The result is presented in the form of a taxonomy and a classification of a number of data collection mechanisms.

data collection

data reduction

intrusion detection

Manifestation extraction

log analysis

13.15 ES 51, Hörsalsvägen 11, Chalmers University of Technology
Opponent: Dr. Andreas Wespi, IBM Zurich Research Laboratory, Zürich, Schweiz

Författare

Ulf Larson

Chalmers, Data- och informationsteknik, Datorteknik

METAL - A tool for extracting attack manifestations

Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005,; (2005)p. 85-102

Paper i proceeding

Reducing system call logs with selective auditing

Nordic Workshop on Secure IT Systems (NordSec),; (2005)p. 122-131

Paper i proceeding

Ämneskategorier

Datorteknik

Technical report L - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 25

13.15 ES 51, Hörsalsvägen 11, Chalmers University of Technology

Opponent: Dr. Andreas Wespi, IBM Zurich Research Laboratory, Zürich, Schweiz