METAL - A Tool for Extracting Attack Manifestations

As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.

[1]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[2]  Ulf Lindqvist,et al.  eXpert-BSM: a host-based intrusion detection solution for Sun Solaris , 2001, Seventeenth Annual Computer Security Applications Conference.

[3]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Dieter Gollmann,et al.  Computer Security – ESORICS 2003 , 2003, Lecture Notes in Computer Science.

[5]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[6]  Eugene H. Spafford,et al.  Identification of Host Audit Data to Detect Attacks on Low-level IP Vulnerabilities , 1999, J. Comput. Secur..

[7]  Magnus Almgren,et al.  Application-Integrated Data Collection for Security Monitoring , 2001, Recent Advances in Intrusion Detection.

[8]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Stefan Axelsson,et al.  An Approach to UNIX Security Logging , 1998 .

[10]  Erland Jonsson,et al.  Extracting attack manifestations to determine log data requirements for intrusion detection , 2004, 20th Annual Computer Security Applications Conference.

[11]  Kymie M. C. Tan,et al.  A defense-centric taxonomy based on attack manifestations , 2004, International Conference on Dependable Systems and Networks, 2004.

[12]  Eugene H. Spafford,et al.  Using internal sensors for computer intrusion detection , 2001 .

[13]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[15]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[16]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[17]  Erland Jonsson,et al.  An Approach to UNIX Security Logging 1 , 1998 .