Correlation of system events: High performance classification of selinux activities and scenarios

This paper presents an architecture for the characterization and the classification of activities occurring in a computer. These activities are considered from a system point of view, currently dealing with information coming from SELinux system logs. Starting from system events, and following an incremental approach, this paper shows how to characterize high-level and macro activities occuring on the system and how to classify those activities. It gives the formal basics of the approach and presents our implementation. The results of experiments uses real samples taken from our honeypot. Correlation results are obtained using a grid computation. Our high performance architecture enables to compute a large amount of events captured during one year on a high interaction honeypot.

[1]  Peng Ning,et al.  Correlating Alerts Using Prerequisites of Intrusions , 2001 .

[2]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Michel Cukier,et al.  Filesystem Activity Following a SSH Compromise: An Empirical Study of File Sequences , 2007, ICISC.

[4]  Xinzhou Qin,et al.  A Probabilistic-Based Framework for INFOSEC Alert Correlation , 2005 .

[5]  E. Myers,et al.  Basic local alignment search tool. , 1990, Journal of molecular biology.

[6]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[7]  Jérémy Briffaut,et al.  Collaboration between MAC Policies and IDS based on a Meta-Policy approach , 2006, International Symposium on Collaborative Technologies and Systems (CTS'06).

[8]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[9]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[10]  David Eppstein Diameter and Treewidth in Minor-Closed Graph Families , 2000, Algorithmica.

[11]  Christopher Krügel,et al.  Intrusion Detection and Correlation - Challenges and Solutions , 2004, Advances in Information Security.

[12]  Christopher Krügel,et al.  Decentralized Event Correlation for Intrusion Detection , 2001, ICISC.