State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
Identification of host audit data to detect attacks on low-level IP vulnerabilities
Journal of Computer Security
Application-Integrated Data Collection for Security Monitoring
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
eXpert-BSM: A Host-Based Intrusion Detection Solution for Sun Solaris
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A Neural Network Component for an Intrusion Detection System
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Using internal sensors for computer intrusion detection
Using internal sensors for computer intrusion detection
A Defense-Centric Taxonomy Based on Attack Manifestations
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Extracting Attack Manifestations to Determine Log Data Requirements for Intrusion Detection
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Filesystem activity following a SSH compromise: an empirical study of file sequences
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
Simplifying signature engineering by reuse
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
A general model and guidelines for attack manifestation generation
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
Towards systematic signature testing
TestCom'07/FATES'07 Proceedings of the 19th IFIP TC6/WG6.1 international conference, and 7th international conference on Testing of Software and Communicating Systems
| Hi-index | 0.00 |
As manual analysis of attacks is time consuming and requires expertise, we developed a partly automated tool for extracting manifestations of intrusive behaviour from audit records, METAL (Manifestation Extraction Tool for Analysis of Logs). The tool extracts changes in audit data that are caused by an attack. The changes are determined by comparing data generated during normal operation to data generated during a successful attack. METAL identifies all processes that may be affected by the attack and the specific system call sequences, arguments and return values that are changed by the attack and makes it possible to analyse many attacks in a reasonable amount of time. Thus it is quicker and easier to find groups of attacks with similar properties and the automation of the process makes attack analysis considerably easier. We tested the tool in analyses of five different attacks and found that it works well, is considerably less time consuming and gives a better overview of the attacks than manual analysis.