Skip to main content
SpringerLink
Log in

METAL – A Tool for Extracting Attack Manifestations

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Paxon, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the Seventh USENIX Security Symposium, San Antonio, Texas, USA, pp. 31–51. USENIX (1998)

    Google Scholar 

  2. Lindqvist, U., Porras, P.A.: eXpert-BSM: A host-based intrusion detection solution for Sun Solaris. In: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA (2001)

    Google Scholar 

  3. Almgren, M., Lindqvist, U.: Application-integrated data collection for security monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  4. Ilgun, K., Kemmerer, R., Porras, P.: State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering 21 (1995)

    Google Scholar 

  5. Lindqvist, U., Porras, P.: Detecting computer and network misuse through the Production-Based Expert System Toolset (P-BEST). In: Proceeding of the 1999 Symposium of Security and Privacy, Oakland, CA, USA. IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

  6. Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: Proceedings of the IEEE Symposium on Research in Computer Security and Privacy, Oakland, CA, USA, pp. 240–250 (1992)

    Google Scholar 

  7. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)

    Google Scholar 

  8. Barse, E.L., Jonsson, E.: Extracting attack manifestations to determine log data requirements for intrusion detection. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, Arizona, USA. IEEE Computer Society, Los Alamitos (2004)

    Google Scholar 

  9. Daniels, T., Spafford, E.: Identification of host audit data to detect attacks on low-level IP vulnerabilities. Journal of Computer Security 7, 3–35 (1999)

    Google Scholar 

  10. Zamboni, D.: Using Internal Sensors for Computer Intrusion Detection. PhD thesis, Purdue University, West Lafayette, IN, USA (2001) CERIAS TR 2001-42

    Google Scholar 

  11. Killourhy, K.S., Maxion, R.A., Tan, K.M.C.: A defence-centric taxonomy based on attack manifestations. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2004), Florence, Italy (2004)

    Google Scholar 

  12. Axelsson, S., Lindqvist, U., Gustafson, U., Jonsson, E.: An approach to UNIX security logging. In: Proceedings of the 21st National Information Systems Security Conference, Arlington, Virginia, USA, National Institute of Standards and Technology/National Computer Security Center, pp. 62–75 (1998)

    Google Scholar 

  13. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  14. Lee, W., Stolfo, S., Chan, P.: Learning patterns from Unix process execution traces for intrusion detection. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management (1997)

    Google Scholar 

  15. Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: 2nd Workshop on Hot Topics in Networks (HotNets-II), Boston, USA (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science and Engineering, Chalmers University of Technology, 412 96, Göteborg, Sweden

    Ulf Larson, Emilie Lundin-Barse & Erland Jonsson

Authors
  1. Ulf Larson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emilie Lundin-Barse
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Erland Jonsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Larson, U., Lundin-Barse, E., Jonsson, E. (2005). METAL – A Tool for Extracting Attack Manifestations. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_6

Download citation

  • DOI: https://doi.org/10.1007/11506881_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation