Extracting attack manifestations to determine log data requirements for intrusion detection

Author

Barse, Emilie Lundin ; Jonsson, Erland

Author_Institution

Dept. of Comput. Eng., Chalmers Univ. of Technol., Goteborg, Sweden

fYear

2004

fDate

6-10 Dec. 2004

Firstpage

158

Lastpage

167

Abstract

Log data adapted for intrusion detection is a little explored research issue despite its importance for successful and efficient detection of attacks and intrusions. This paper presents a starting point in the search for suitable log data by providing a framework for determining exactly which log data that can reveal a specific attack, i.e. the attack manifestations. An attack manifestation consists of the log entries added, changed or removed by the attack compared to normal behaviour. We demonstrate the use of the framework by studying attacks in different types of log data. This work provides a foundation for a fully automated attack analysis. It also provides some pointers for how to define a collection of log elements that are both sufficient and necessary for detection of a specific group of attacks. We believe that this lead to a log data source that is especially adapted for intrusion detection purposes.

Keywords

computer networks; security of data; statistical analysis; attack manifestation; intrusion detection; log data requirements; Application software; Computer networks; Computer security; Data engineering; Data mining; Guidelines; Intrusion detection; Packaging; Telecommunication traffic; Intrusion detection; attack manifestations; data collection; log data;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2004. 20th Annual

ISSN

1063-9527

Print_ISBN

0-7695-2252-1

Type

conf

DOI

10.1109/CSAC.2004.20

Filename

1377226