CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

METAL - A tool for extracting attack manifestations

Ulf Larson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Emilie Lundin Barse (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Erland Jonsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers))
Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005 p. 85-102. (2005)
[Konferensbidrag, refereegranskat]

As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.

Nyckelord: Automated attack analysis, intrusion detection, system calls, log data

Denna post skapades 2006-08-29. Senast ändrad 2010-09-07.
CPL Pubid: 10186