CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

A Comparison of Alternative Audit Sources for Web Server Attack Detection

Magnus Almgren (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Erland Jonsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Ulf Lindqvist
The 12th Nordic Workshop on Secure IT-systems (2007)
[Konferensbidrag, refereegranskat]

Most intrusion detection systems available today are using a single audit source for detecting all attacks, even though attacks have distinct manifestations in different parts of the system. In this paper we carry out a theoretical investigation of the role of the audit source for the detection capability of the intrusion detection system (IDS). Concentrating on web server attacks, we examine the attack manifestations available to intrusion detection systems at different abstraction layers, including a network-based IDS, an application-based IDS, and finally a host-based IDS. Our findings include that attacks indeed have different manifestations depending on the audit source used. Some audit sources may lack any manifestation for certain attacks, and, in other cases contain only events that are indirectly connected to the attack in question. This, in turn, affects the reliability of the attack detection if the intrusion detection system uses only a single audit source for collecting security-relevant events. Hence, we conclude that using a multisource detection model increases the probability of detecting a range of attacks directed toward the web server. We also note that this model should account for the detection quality of each attack / audit stream to be able to rank alerts. Keywords: intrusion detection, attack manifestations

Nyckelord: intrusion detection, attack manifestations



Denna post skapades 2007-09-25. Senast ändrad 2015-02-26.
CPL Pubid: 49958

 

Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Datorteknik (Chalmers)

Ämnesområden

Datalogi

Chalmers infrastruktur

Relaterade publikationer

Denna publikation ingår i:


Techniques for Improving Intrusion Detection