A Structured Overview of Data Collection with a Focus on Intrusion Detection

Collection and analysis of audit data is a critical component in many computer-related activities, such as debugging, measurement, and detection. Data is required to be correct and to be delivered in a timely fashion. Additionally, the data should be sparse to reduce the amount of resources used to collect and store it. At the same time, the data must contain the necessary attributes with respect to the goal of the collection. The production of audit data depends directly on the deployed data collection mechanisms. Adequate mechanism knowledge is thus a critical resource for software developers, security officers, and system administrators and operators. This report aims at providing a clear and concise picture of how data collection mechanisms work. It provides a detailed explanation of generic data collection mechanism components and the interaction with the environment, from initial triggering to output of log data records. Furthermore, it provides a taxonomy of mechanism characteristics based on previously published theoretical results [43, 44]. Guidelines and hints for mechanism selection are provided and examples of application fields that benefit from proper mechanism knowledge are presented. An extensive appendix contains 50 surveyed mechanisms. We believe that the classification and the guidelines can be used to assist system administrators and operators in performing resource efficient mechanism selection. The guidelines and the classification can also be used when a specific type of data collection is desired. For example, it is easy to find out what mechanisms collect samples for execution profiling, and what mechanisms that can be reconfigured without the need for restart. This is a valuable source of information that reduces the need to browse multiple manual pages and whitepapers to find the desired mechanism. Furthermore, by using the selection guidelines, we can obtain a more resource efficient data collection and obtain a more accurate data analysis

[1]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[2]  Timothy W. Curry,et al.  Profiling and Tracing Dynamic Library Usage Via Interposition , 1994, USENIX Summer.

[3]  Benjamin A. Kuperman,et al.  A categorization of computer security monitoring systems and the impact on the design of audit sources , 2004 .

[4]  Matt Bishop A model of security monitoring , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[5]  James R. Larus,et al.  Efficient program tracing , 1993, Computer.

[6]  Dan Tsafrir,et al.  Fine grained kernel logging with KLogger: experience and insights , 2007, EuroSys '07.

[7]  M. Itzkowitz,et al.  Memory Profiling using Hardware Counters , 2003, ACM/IEEE SC 2003 Conference (SC'03).

[8]  Ulf E. Larson,et al.  Simulated attacks on CAN buses: vehicle virus , 2008 .

[9]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[10]  John Kunze,et al.  A trace-driven analysis of the unix 4 , 1985, SOSP 1985.

[11]  Michel Dagenais,et al.  Measuring and Characterizing System Behavior Using Kernel-Level Event Logging , 2000, USENIX Annual Technical Conference, General Track.

[12]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[13]  Jack Dongarra,et al.  Using PAPI for Hardware Performance Monitoring on Linux Systems , 2001 .

[14]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[15]  Dennis M. Ritchie,et al.  A stream input-output system , 1990 .

[16]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[17]  Richard J. Moore A Universal Dynamic Trace for Linux and Other Operating Systems , 2001, USENIX Annual Technical Conference, FREENIX Track.

[18]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.

[19]  Werner Vogels,et al.  File system usage in Windows NT 4.0 , 1999, SOSP.

[20]  Erland Jonsson,et al.  Operator-Centric and Adaptive Intrusion Detection , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[21]  Lance M. Berc,et al.  Continuous profiling: where have all the cycles gone? , 1997, TOCS.

[22]  Matt Bishop,et al.  Profiling under UNIX by patching , 1987, Softw. Pract. Exp..

[23]  Ulf E. Larson,et al.  Conducting forensic investigations of cyber attacks on automobile in-vehicle networks , 2008 .

[24]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[25]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[26]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[27]  Erland Jonsson,et al.  Extracting attack manifestations to determine log data requirements for intrusion detection , 2004, 20th Annual Computer Security Applications Conference.

[28]  Eugene H. Spafford,et al.  Defending a Computer System Using Autonomous Agents , 1995 .

[29]  Kymie M. C. Tan,et al.  A defense-centric taxonomy based on attack manifestations , 2004, International Conference on Dependable Systems and Networks, 2004.

[30]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[31]  Eugene H. Spafford,et al.  Using internal sensors for computer intrusion detection , 2001 .

[32]  Robert Braden A pseudo-machine for packet monitoring and statistics , 1988, SIGCOMM 1988.

[33]  Erland Jonsson,et al.  A Revised Taxonomy of Data Collection Mechanisms with a Focus on Intrusion Detection , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[34]  Eugene H. Spafford,et al.  Generation of Application Level Audit Data via Library Interposition , 1998 .

[35]  Emilie Lundin Barse Logging for Intrusion and Fraud Detection , 2004 .

[36]  Fulvio Risso,et al.  An architecture for high performance network analysis , 2001, Proceedings. Sixth IEEE Symposium on Computers and Communications.

[37]  Erland Jonsson,et al.  An Approach to UNIX Security Logging 1 , 1998 .

[38]  Zheng Wang,et al.  System support for automatic profiling and optimization , 1997, SOSP.

[39]  Greg Kroah-Hartman,et al.  Linux Device Drivers , 1998 .

[40]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[41]  Erland Jonsson,et al.  A Comparison of Alternative Audit Sources for Web Server Attack Detection , 2007 .

[42]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[43]  Erez Zadok,et al.  Tracefs: A File System to Trace Them All , 2004, FAST.

[44]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[45]  James R. Larus,et al.  Rewriting executable files to measure program behavior , 1994, Softw. Pract. Exp..

[46]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[47]  Beth A. Schroeder On-Line Monitoring: A Tutorial , 1995, Computer.

[48]  Sean Peisert,et al.  A model of forensic analysis using goal-oriented logging , 2007 .

[49]  Barton P. Miller,et al.  Fine-grained dynamic instrumentation of commodity operating system kernels , 1999, OSDI '99.

[50]  Ann Q. Gates,et al.  A taxonomy and catalog of runtime software-fault monitoring tools , 2004, IEEE Transactions on Software Engineering.