Chapter

Detection of Intrusions and Malware, and Vulnerability Assessment

Volume 3548 of the series Lecture Notes in Computer Science pp 85-102

METAL – A Tool for Extracting Attack Manifestations

  • Ulf LarsonAffiliated withLancaster UniversityComputer Science and Engineering, Chalmers University of Technology
  • , Emilie Lundin-BarseAffiliated withLancaster UniversityComputer Science and Engineering, Chalmers University of Technology
  • , Erland JonssonAffiliated withLancaster UniversityComputer Science and Engineering, Chalmers University of Technology

* Final gross prices may vary according to local VAT.

Get Access

Abstract

As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.

Keywords

Automated attack analysis intrusion detection system calls log data