Abstract
As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Paxon, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the Seventh USENIX Security Symposium, San Antonio, Texas, USA, pp. 31–51. USENIX (1998)
Lindqvist, U., Porras, P.A.: eXpert-BSM: A host-based intrusion detection solution for Sun Solaris. In: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA (2001)
Almgren, M., Lindqvist, U.: Application-integrated data collection for security monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)
Ilgun, K., Kemmerer, R., Porras, P.: State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering 21 (1995)
Lindqvist, U., Porras, P.: Detecting computer and network misuse through the Production-Based Expert System Toolset (P-BEST). In: Proceeding of the 1999 Symposium of Security and Privacy, Oakland, CA, USA. IEEE Computer Society Press, Los Alamitos (1999)
Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: Proceedings of the IEEE Symposium on Research in Computer Security and Privacy, Oakland, CA, USA, pp. 240–250 (1992)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)
Barse, E.L., Jonsson, E.: Extracting attack manifestations to determine log data requirements for intrusion detection. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, Arizona, USA. IEEE Computer Society, Los Alamitos (2004)
Daniels, T., Spafford, E.: Identification of host audit data to detect attacks on low-level IP vulnerabilities. Journal of Computer Security 7, 3–35 (1999)
Zamboni, D.: Using Internal Sensors for Computer Intrusion Detection. PhD thesis, Purdue University, West Lafayette, IN, USA (2001) CERIAS TR 2001-42
Killourhy, K.S., Maxion, R.A., Tan, K.M.C.: A defence-centric taxonomy based on attack manifestations. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2004), Florence, Italy (2004)
Axelsson, S., Lindqvist, U., Gustafson, U., Jonsson, E.: An approach to UNIX security logging. In: Proceedings of the 21st National Information Systems Security Conference, Arlington, Virginia, USA, National Institute of Standards and Technology/National Computer Security Center, pp. 62–75 (1998)
Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)
Lee, W., Stolfo, S., Chan, P.: Learning patterns from Unix process execution traces for intrusion detection. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management (1997)
Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: 2nd Workshop on Hot Topics in Networks (HotNets-II), Boston, USA (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Larson, U., Lundin-Barse, E., Jonsson, E. (2005). METAL – A Tool for Extracting Attack Manifestations. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_6
Download citation
DOI: https://doi.org/10.1007/11506881_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)