1 / 13

Host Based Intrusion Detection: Analyzing System Logs

Host Based Intrusion Detection: Analyzing System Logs. Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006. The Problem. The number and sophistication of attacks is increasing It is hard to “know” that a system is intact If a system is compromised, what happened?

dante
Download Presentation

Host Based Intrusion Detection: Analyzing System Logs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006

  2. The Problem • The number and sophistication of attacks is increasing • It is hard to “know” that a system is intact • If a system is compromised, what happened? • How do we instrument systems for a very high level of security or surveillance? • How can we analyze the data?

  3. Sebek and Honeynet • Honeynet project • An architecture for hacker surveillance • Correlates Kernel logging and network activity • Integrates kernel logging, packet capture, and IDS detects • Tunable and extensible kernel logging • Replace system call table entries (Linux) • Load time filtering • Windows XP – Less full feature implementation • Honeywall to control the risk of observing intrusions.

  4. Our Setup

  5. Hacking Windows and Linux • Metasploit framework • Not a lot of success in hacking Linux • Several successful exploits for Windows • Problems with Windows Sebek

  6. Data Capture Tools • Windows XP • Windows Perfmon trace facility • SysInternals • Process Explorer • Filemon • Sebek • Honeynet Snort IDS

  7. The Data • Process creation / deletion • Process ID and parent process ID • XP Process Tree • Network connections • File system activity • (open, close, read, write) • Keystrokes • IDS Events

  8. XP Process Tree

  9. Analysis

  10. Analysis (cont)

  11. Performance Observations • No formal performance analysis • No noticeable performance impact • If extensive logging is turned on then there is an impact – You can’t log everything

  12. Conclusions • A modest amount of logging can greatly aid in forensics or detection • OS behavior/design can be leveraged • XP Process Tree • Combining multiple data sources is needed • Honeynet is a good architecture with incomplete tools • Augmenting Sebek with identified data is needed

  13. Questions?

More Related