On Adapting Data Collection to Intrusion Detection
Doktorsavhandling, 2009

Intrusion detection systems (IDSs) are capable of detecting both suspicious insider activity and attacks from external penetrators. They can also detect both known and previously unknown attacks. These capabilities make them valuable assets in the protection of computer systems and networks. The work in this thesis focuses on intrusion detection and in particular on data collection for intrusion detection. Data collection is the first, and possibly most important, activity in the overall intrusion detection process, and the result of the detection process can never be better than the data on which the detection is based. However, intrusion detection tends to consume large resources in terms of computing power and data storage. It is thus highly desirable to reduce the amount of data collected as much as possible while still keeping the data that are necessary for detecting attacks, the so-called attack manifestations. My objective has been to develop techniques that assist in this process. Thus, I have developed an attack analysis tool that automatically extracts log elements generated by attacks and a decision support system that provides suitable configurations for data collection mechanisms. By using these tools, I demonstrate that only few of the events in log files are generated by attacks and that, by properly selecting events that will be collected, it is possible to achieve a significant reduction in log file sizes while still keeping the manifestations. In the thesis, I also study how data collection and intrusion detection can be adapted to road vehicles. Road vehicles are becoming increasingly connected to external, possibly untrusted networks, and a security analysis of modern road vehicles reveals that they are vulnerable to digital attacks. I have therefore suggested techniques for how data collection and intrusion detection can be used to assist forensic investigations that involve such attacks. Taken together, the observations in the thesis emphazises aspects of adapting data collection to intrusion detection, in particular how it can be used to reduce the amount of data collected, and how it can be used to assist investigation of digital crime against road vehicles.

attack manifestation

data reduction

in-vehicle network

attack analysis


intrusion detection

computer security

data collection

forensic investigation

HC2, Hörsalsvägen, Chalmers University of Technology
Opponent: Prof. Felix Wu, Department of Computer Science, UC Davis, CA, USA


Ulf Larson

Chalmers, Data- och informationsteknik, Nätverk och system

Decision Support for Intrusion Detection Data Collection

Proceedings of the 13th Nordic Workshop on Secure IT-systems (NordSec 2008), October 9-10, 2008, Copenhagen, Denmark,; (2008)

Paper i proceeding

Conducting Forensic Investigations of Cyber Attacks on Automobile In-Vehicle Networks

International Journal of Digital Crime and Forensics,; Vol. 1(2009)p. 28-41

Artikel i vetenskaplig tidskrift

Combining Physical and Digital Evidence in Vehicle Environments

3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2008; Berkeley, CA; United States; 22 May 2008 through 22 May 2008,; (2008)p. 10-14

Paper i proceeding

Reducing system call logs with selective auditing

Nordic Workshop on Secure IT Systems (NordSec),; (2005)p. 122-131

Paper i proceeding

METAL - A tool for extracting attack manifestations

Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005,; (2005)p. 85-102

Paper i proceeding

A General Model and Guidelines for Attack Manifestation Generation

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; Vol. 5141(2007)p. 274-286

Paper i proceeding

An Approach to Specification-based Attack Detection for In-Vehicle Networks

Proceedings of the IEEE Intelligent Vehicles Symposium, June 4-6, 2008, Eindhoven, The Netherlands,; (2008)

Artikel i vetenskaplig tidskrift





Technical report D - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 58D

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 2916

HC2, Hörsalsvägen, Chalmers University of Technology

Opponent: Prof. Felix Wu, Department of Computer Science, UC Davis, CA, USA

Mer information