CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Reducing system call logs with selective auditing

Ulf Larson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Erland Jonsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers))
Nordic Workshop on Secure IT Systems (NordSec) p. 122-131. (2005)
[Konferensbidrag, refereegranskat]

Event auditing today is a resource consuming process. Rapidly increasing performance of hardware results in event production at a faster rate. Complex software, multiprogramming and extensive connectivity between software components makes it both difficult and resource demanding to discriminate between malicious and benign system events. Thus, an exhaustive auditing approach is not feasible and there is need for a more efficient solution. We propose a method called selective auditing, where only a specific subset of system events are recorded. This will significantly reduce the required amount of auditing and will produce smaller audit logs of higher quality. We illustrate the benefits of the selective auditing method by executing four buffer overflow attacks and show that the logs generated by selective auditing are significantly reduced in size while still giving the same detection rate.

Nyckelord: Intrusion detection, system calls, auditing, data reduction



Denna post skapades 2006-08-29.
CPL Pubid: 10187

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)