METAL – A Tool for Extracting Attack Manifestations

  • Ulf Larson
  • Emilie Lundin-Barse
  • Erland Jonsson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3548)


As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.


Automated attack analysis intrusion detection system calls log data 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paxon, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the Seventh USENIX Security Symposium, San Antonio, Texas, USA, pp. 31–51. USENIX (1998)Google Scholar
  2. 2.
    Lindqvist, U., Porras, P.A.: eXpert-BSM: A host-based intrusion detection solution for Sun Solaris. In: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA (2001)Google Scholar
  3. 3.
    Almgren, M., Lindqvist, U.: Application-integrated data collection for security monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Ilgun, K., Kemmerer, R., Porras, P.: State transition analysis: A rule-based intrusion detection approach. IEEE Transaction on Software Engineering 21 (1995)Google Scholar
  5. 5.
    Lindqvist, U., Porras, P.: Detecting computer and network misuse through the Production-Based Expert System Toolset (P-BEST). In: Proceeding of the 1999 Symposium of Security and Privacy, Oakland, CA, USA. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  6. 6.
    Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: Proceedings of the IEEE Symposium on Research in Computer Security and Privacy, Oakland, CA, USA, pp. 240–250 (1992)Google Scholar
  7. 7.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  8. 8.
    Barse, E.L., Jonsson, E.: Extracting attack manifestations to determine log data requirements for intrusion detection. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, Arizona, USA. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  9. 9.
    Daniels, T., Spafford, E.: Identification of host audit data to detect attacks on low-level IP vulnerabilities. Journal of Computer Security 7, 3–35 (1999)Google Scholar
  10. 10.
    Zamboni, D.: Using Internal Sensors for Computer Intrusion Detection. PhD thesis, Purdue University, West Lafayette, IN, USA (2001) CERIAS TR 2001-42Google Scholar
  11. 11.
    Killourhy, K.S., Maxion, R.A., Tan, K.M.C.: A defence-centric taxonomy based on attack manifestations. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2004), Florence, Italy (2004)Google Scholar
  12. 12.
    Axelsson, S., Lindqvist, U., Gustafson, U., Jonsson, E.: An approach to UNIX security logging. In: Proceedings of the 21st National Information Systems Security Conference, Arlington, Virginia, USA, National Institute of Standards and Technology/National Computer Security Center, pp. 62–75 (1998)Google Scholar
  13. 13.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Lee, W., Stolfo, S., Chan, P.: Learning patterns from Unix process execution traces for intrusion detection. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management (1997)Google Scholar
  15. 15.
    Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: 2nd Workshop on Hot Topics in Networks (HotNets-II), Boston, USA (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Ulf Larson
    • 1
  • Emilie Lundin-Barse
    • 1
  • Erland Jonsson
    • 1
  1. 1.Computer Science and EngineeringChalmers University of TechnologyGöteborgSweden

Personalised recommendations