Security audit logs for IDS

To implement audit logs security, the traditional technique was encryption, but the encrypted logs were difficult to partially search and verify. In this paper, a searchable security audit alert logs scheme for IDS was proposed. The hash chain and encryption technology were used to implement the forward security, i.e. in the event that an attacker captures the IDS host, it was impossible for the attacker to read, undetectably modify, or destroy the log entries generated prior to the logging machine´s compromise. Moreover, the characteristics of IDS alert log entries were used to build security indexes. With these indexes, the searcher and verifier can search and verify the log entries by recorder number, time stamp, source IP address, destination IP address, and type.