Privacy, Intrusion Detection, and Response: Technologies for Protecting Networks

This chapter aims at providing a clear and concise picture of data collection for intrusion detection. It provides a detailed explanation of generic data collection mechanism components and the interaction with the environment, from initial triggering to output of log data records. Taxonomies of mechanism characteristics and deployment considerations are provided and discussed. Furthermore, guidelines and hints for mechanism selection and deployment are provided. The guidelines are aimed to assist intrusion detection system developers, designers, and operators in selecting mechanisms for resource efficient data collection.

[1]  Eugene H. Spafford,et al.  Defending a Computer System Using Autonomous Agents , 1995 .

[2]  Kymie M. C. Tan,et al.  A defense-centric taxonomy based on attack manifestations , 2004, International Conference on Dependable Systems and Networks, 2004.

[3]  Lance M. Berc,et al.  Continuous profiling: where have all the cycles gone? , 1997, TOCS.

[4]  Eugene H. Spafford,et al.  Using internal sensors for computer intrusion detection , 2001 .

[5]  John Kunze,et al.  A trace-driven analysis of the unix 4 , 1985, SOSP 1985.

[6]  Michel Dagenais,et al.  Measuring and Characterizing System Behavior Using Kernel-Level Event Logging , 2000, USENIX Annual Technical Conference, General Track.

[7]  Robert Braden A pseudo-machine for packet monitoring and statistics , 1988, SIGCOMM 1988.

[8]  Emilie Lundin Barse Logging for Intrusion and Fraud Detection , 2004 .

[9]  Bert Wijnen,et al.  An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks , 2002, RFC.

[10]  Ulf E. Larson,et al.  Simulated attacks on CAN buses: vehicle virus , 2008 .

[11]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[12]  Erland Jonsson,et al.  A Revised Taxonomy of Data Collection Mechanisms with a Focus on Intrusion Detection , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[13]  Zheng Wang,et al.  System support for automatic profiling and optimization , 1997, SOSP.

[14]  Mary Baker,et al.  Measurements of a distributed file system , 1991, SOSP '91.

[15]  Fulvio Risso,et al.  An architecture for high performance network analysis , 2001, Proceedings. Sixth IEEE Symposium on Computers and Communications.

[16]  Jack Dongarra,et al.  Using PAPI for Hardware Performance Monitoring on Linux Systems , 2001 .

[17]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[18]  B.A. Fessi,et al.  Data collection for information security system , 2010, 2010 Second International Conference on Engineering System Management and Applications.

[19]  Christopher Krügel,et al.  Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.

[20]  Xin Jin,et al.  Architecture for Data Collection in Database Intrusion Detection Systems , 2007, Secure Data Management.

[21]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[22]  Timothy W. Curry,et al.  Profiling and Tracing Dynamic Library Usage Via Interposition , 1994, USENIX Summer.

[23]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[24]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[25]  Erland Jonsson,et al.  Extracting attack manifestations to determine log data requirements for intrusion detection , 2004, 20th Annual Computer Security Applications Conference.

[26]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[27]  James R. Larus,et al.  Efficient program tracing , 1993, Computer.

[28]  David W. Wall,et al.  Generation and analysis of very long address traces , 1990, ISCA '90.

[29]  Benjamin A. Kuperman,et al.  A categorization of computer security monitoring systems and the impact on the design of audit sources , 2004 .

[30]  Matt Bishop A model of security monitoring , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[31]  M. Itzkowitz,et al.  Memory Profiling using Hardware Counters , 2003, ACM/IEEE SC 2003 Conference (SC'03).

[32]  Susan L. Graham,et al.  Gprof: A call graph execution profiler , 1982, SIGPLAN '82.

[33]  Dan Tsafrir,et al.  Fine grained kernel logging with KLogger: experience and insights , 2007, EuroSys '07.

[34]  Dmitri Bronnikov A practical adoption of partial redundancy elimination , 2004, SIGP.

[35]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.

[36]  Erland Jonsson,et al.  Operator-Centric and Adaptive Intrusion Detection , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[37]  Ann Q. Gates,et al.  A taxonomy and catalog of runtime software-fault monitoring tools , 2004, IEEE Transactions on Software Engineering.

[38]  Sean Peisert,et al.  A model of forensic analysis using goal-oriented logging , 2007 .

[39]  Barton P. Miller,et al.  Fine-grained dynamic instrumentation of commodity operating system kernels , 1999, OSDI '99.

[40]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[41]  Richard J. Moore A Universal Dynamic Trace for Linux and Other Operating Systems , 2001, USENIX Annual Technical Conference, FREENIX Track.

[42]  Werner Vogels,et al.  File system usage in Windows NT 4.0 , 1999, SOSP.

[43]  Matt Bishop,et al.  Profiling under UNIX by patching , 1987, Softw. Pract. Exp..

[44]  Ulf E. Larson,et al.  Conducting forensic investigations of cyber attacks on automobile in-vehicle networks , 2008 .

[45]  Hung Q. Ngo,et al.  A Data-Centric Approach to Insider Attack Detection in Database Systems , 2010, RAID.

[46]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[47]  Erez Zadok,et al.  Tracefs: A File System to Trace Them All , 2004, FAST.

[48]  James N. Menendez,et al.  A Guide to Understanding Audit in Trusted Systems , 1988 .

[49]  Erland Jonsson,et al.  An Approach to UNIX Security Logging 1 , 1998 .

[50]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[51]  Erland Jonsson,et al.  A Comparison of Alternative Audit Sources for Web Server Attack Detection , 2007 .

[52]  Gunnar Peterson,et al.  How to Do Application Logging Right , 2010, IEEE Security & Privacy.

[53]  James R. Larus,et al.  Rewriting executable files to measure program behavior , 1994, Softw. Pract. Exp..

[54]  Beth A. Schroeder On-Line Monitoring: A Tutorial , 1995, Computer.