Aspects of Adapting Data Collection to Intrusion Detection

The focus of this thesis is on data collection and in particular data collection for intrusion detection purposes. Data collection is the first, and possibly most important activity in the overall intrusion detection process. The result of the detection can never be better than the data on which the detection is based. One of the main problems in this respect is that the amount of data is too large to be readily processed and significant data reduction is needed early on in the detection process. Consequently, I have developed the Manifestation Extraction Tool for Analysis of Logs (METAL). METAL extracts useful log items, manifestations, from collected data while discarding redundant log items. Identifying manifestations for a specific attack is fundamental as the manifestations hold the information that is needed for detecting the attack. The operation of the METAL tool is based on differential analysis between log data captured during attack activity and corresponding normal activity. The tool will not only provide a set of manifestations, but will also provide a significant reduction in data. In an experiment with buffer overflow attacks and data from system call logs, a data reduction rate of 95\% was achieved. The thesis also studies the relationship between data collection mechanism characteristics and log data, i.e. which types of data can be logged by a specific mechanism. This will in turn provide information on which attacks can be detected using data from a certain mechanism. The result is presented in the form of a taxonomy and a classification of a number of data collection mechanisms.

[1]  Richard J. Moore A Universal Dynamic Trace for Linux and Other Operating Systems , 2001, USENIX Annual Technical Conference, FREENIX Track.

[2]  David W. Wall,et al.  Link-Time Code Modification , 1989 .

[3]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Stefan Axelsson,et al.  An Approach to UNIX Security Logging , 1998 .

[5]  Matt Bishop,et al.  Profiling under UNIX by patching , 1987, Softw. Pract. Exp..

[6]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[7]  Erland Jonsson,et al.  Extracting attack manifestations to determine log data requirements for intrusion detection , 2004, 20th Annual Computer Security Applications Conference.

[8]  Robert Love,et al.  Linux Kernel Development , 2003 .

[9]  Ira D. Baxter,et al.  Branch Coverage For Arbitrary Languages Made Easy: Transformation Systems To The Rescue! , 2001 .

[10]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[11]  Beth A. Schroeder On-Line Monitoring: A Tutorial , 1995, Computer.

[12]  Ulf Lindqvist,et al.  eXpert-BSM: a host-based intrusion detection solution for Sun Solaris , 2001, Seventeenth Annual Computer Security Applications Conference.

[13]  Erez Zadok,et al.  Tracefs: A File System to Trace Them All , 2004, FAST.

[14]  Rob Williams,et al.  Linux device drivers , 2006 .

[15]  Erland Jonsson,et al.  An intrusion detection-centric taxonomy and survey of data log mechanisms , 2006 .

[16]  Zheng Wang,et al.  System support for automatic profiling and optimization , 1997, SOSP.

[17]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[18]  W. Vogels File system usage in Windows NT 4.0 , 2000, OPSR.

[19]  Amitabh Srivastava,et al.  Analysis Tools , 2019, Public Transportation Systems.

[20]  Gonzalo Navarro,et al.  A Pattern Matching Based Filter for Audit Reduction and Fast Detection of Potential Intrusions , 2000, Recent Advances in Intrusion Detection.

[21]  Dan Tsafrir,et al.  Fine grained kernel logging with KLogger: experience and insights , 2007, EuroSys '07.

[22]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[23]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[24]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[25]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[26]  Steven R. Snapp,et al.  The DIDS (Distributed Intrusion Detection System) Prototype , 1992, USENIX Summer.

[27]  James R. Larus,et al.  Efficient program tracing , 1993, Computer.

[28]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[29]  Thomas E. Anderson,et al.  A Comparison of File System Workloads , 2000, USENIX Annual Technical Conference, General Track.

[30]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[31]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[32]  Marc Dacier,et al.  MAFTIA (Malicious− and Accidental− Fault Tolerance for Internet Applications , 2001 .

[33]  Erland Jonsson,et al.  An Approach to UNIX Security Logging 1 , 1998 .

[34]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[35]  Erland Jonsson,et al.  METAL - A Tool for Extracting Attack Manifestations , 2005, DIMVA.

[36]  Jack Dongarra,et al.  Using PAPI for Hardware Performance Monitoring on Linux Systems , 2001 .

[37]  Stefan Axelsson Visualising Intrusions: Watching the Webserver , 2004, SEC.

[38]  Håkan Kvarnström,et al.  A survey of commercial tools for intrusion detection , 1999 .

[39]  Robert Braden A pseudo-machine for packet monitoring and statistics , 1988, SIGCOMM.

[40]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[41]  Kymie M. C. Tan,et al.  A defense-centric taxonomy based on attack manifestations , 2004, International Conference on Dependable Systems and Networks, 2004.

[42]  Brian J. N. Wylie,et al.  Memory Profiling using Hardware Counters , 2003, ACM/IEEE SC 2003 Conference (SC'03).

[43]  Eugene H. Spafford,et al.  Using internal sensors for computer intrusion detection , 2001 .

[44]  Fulvio Risso,et al.  An architecture for high performance network analysis , 2001, Proceedings. Sixth IEEE Symposium on Computers and Communications.

[45]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[46]  John A. Kunze,et al.  A trace-driven analysis of the UNIX 4.2 BSD file system , 1985, SOSP '85.

[47]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[48]  Richard E. Kessler,et al.  Generation and analysis of very long address traces , 1990, [1990] Proceedings. The 17th Annual International Symposium on Computer Architecture.

[49]  Barton P. Miller,et al.  Fine-grained dynamic instrumentation of commodity operating system kernels , 1999, OSDI '99.

[50]  Eugene H. Spafford,et al.  Identification of Host Audit Data to Detect Attacks on Low-level IP Vulnerabilities , 1999, J. Comput. Secur..

[51]  Michel Dagenais,et al.  Measuring and Characterizing System Behavior Using Kernel-Level Event Logging , 2000, USENIX Annual Technical Conference, General Track.

[52]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[53]  James R. Larus,et al.  Rewriting executable files to measure program behavior , 1994, Softw. Pract. Exp..

[54]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[55]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[56]  Dieter Hutter,et al.  Audit File Reduction Using N-Gram Models , 2005, Financial Cryptography.

[57]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[58]  Lance M. Berc,et al.  Continuous profiling: where have all the cycles gone? , 1997, TOCS.

[59]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[60]  Magnus Almgren,et al.  Application-Integrated Data Collection for Security Monitoring , 2001, Recent Advances in Intrusion Detection.

[61]  Alan Jay Smith,et al.  A File System Tracing Package for Berkeley UNIX , 1985 .

[62]  Eugene H. Spafford,et al.  Generation of Application Level Audit Data via Library Interposition , 1998 .

[63]  Mary Baker,et al.  Measurements of a distributed file system , 1991, SOSP '91.

[64]  Timothy W. Curry,et al.  Profiling and Tracing Dynamic Library Usage Via Interposition , 1994, USENIX Summer.

[65]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[66]  Michael D. Smith,et al.  Tracing with Pixie , 1991 .

[67]  Ann Q. Gates,et al.  A taxonomy and catalog of runtime software-fault monitoring tools , 2004, IEEE Transactions on Software Engineering.