Detecting Security Violations Based on Multilayered Event Log Processing

• Autorzy: Malec P. , Piwowar M. , Kozakiewicz A. , Lasota K.
• Języki publikacji: EN

Abstrakty

EN

The article proposes a log analysis approach to detection of security violations, based on a four layer design. First layer, named the event source layer, describes sources of information that can be used for misuse investigation. Transport layer represents the method of collecting event data, preserving it in the form of logs and passing it to another layer, called the analysis layer. This third layer is responsible for analyzing the logs' content, picking relevant information and generating security alerts. Last layer, called normalization layer, is custom software which normalizes and correlates produced alerts to raise notice on more complex attacks. Logs from remote hosts are collected by using rsyslog software and OSSEC HIDS with custom decoders and rules is used on a central log server for log analysis. A novel method of handling OSSEC HIDS alerts by their normalization and correlation is proposed. The output can be optionally suppressed to protect the system against alarm flood and reduce the count of messages transmitted in the network.

Słowa kluczowe

EN

HIDS; log analysis; NIDS; syslog

• Wydawca: Instytut Łączności - Państwowy Instytut Badawczy
• Czasopismo: Journal of Telecommunications and Information Technology
• Rocznik: 2015
• Tom: nr 4
• Strony: 30--36
• Opis fizyczny: Bibliogr. 20 poz., rys., tab.

Twórcy

autor

Malec P.

• Research and Academic Computer Network (NASK), Warsaw, Poland

autor

Piwowar M.

• Research and Academic Computer Network (NASK), Warsaw, Poland

autor

Kozakiewicz A.

• Research and Academic Computer Network (NASK), Warsaw, Poland

autor

Lasota K.

• Research and Academic Computer Network (NASK), Warsaw, Poland

Bibliografia

• [1] Rsyslog - The rocket fast system for log proseccing [Online]. Available: http://www.rsyslog.com
• [2] K. Kent and M. Souppaya, "Guide to Computer Security Log Management", National Institute of Standards and Technology (NIST) Special Publication 800-92, 2006.
• [3] K. Julisch and M. Dacier, "Mining intrusion detection alarms for actionable knowledge", in Proc. 8th ACM SIGKDD Int. Conf. Knowl. Discov. Data Mining, Edmonton, Alberta, Canada, 2002, pp. 366-375.
• [4] OSSEC documentation [Online]. Available: http://ossec-docs.readthedocs.org
• [5] H. W. Njogu and L. J. Wei, "Using alert cluster to reduce IDS alerts", in Proc. 3rd IEEE Int. Conf. Comp. Sci. Inform. Technol. ICCSIT 2011, Chengdu, China, 2011, pp. 467-471.
• [6] H. T. Elshoush and I. M. Osman, "Alert correlation in collaborative intelligent intrusion detection systems { A survey", Appl. Soft Comput., vol. 11, pp. 4349{4365, 2011.
• [7] T. H. Nguyen, J. Luo, and H. W. Njogu, "Improving the management of IDS alerts", Int. J. Secur. Its Appl., vol. 8, no. 3, pp. 393-406, 2014.
• [8] A. Oliner, A. Ganapathi, and W. Xu, "Advances and challenges in log analysis", Commun. of the ACM (CACM), vol. 55, no. 2, pp. 55-61, 2012.
• [9] auditd - security guide [Online]. Available: https://access.redhat.com/documentation/en-US/Red Hat Enterprise Linux/6/html/Security Guide/chap-system auditing.html
• [10] "Guide to the Secure Con_guration of Red Hat Enterprise Linux 5", National Security Agency, Revision 4.2, pp. 87-94, 2011.
• [11] AIDE { Advanced Intrusion Detection Environment [Online]. Available: http://aide.sourceforge.net/
• [12] sshd deployment guide [Online]. Available: https://access.redhat.com/documentation/en-US/Red HatEnterpriseLinux/6/html/Deployment Guide/ch-OpenSSH.html
• [13] Using Pluggable Authentication Modules (PAM) [Online]. Available: https://access.redhat.com/documentation/en-US/Red Hat Enterprise Linux/6/html/Managing Smart Cards/Pluggable Authentication Modules.html
• [14] racoon - Linux daemon [Online]. Available: http://linux.die.net/man/8/racoon
• [15] iptables [Online]. Available: https://wiki.centos.org/HowTos/Network/IPTables
• [16] R. Gerhards, The Syslog Protocol, RFC 5424 [Online]. Available: https://tools.ietf.org/html/rfc5424
• [17] Syslog-ng - open source log management [Online]. Available: https://syslog-ng.org/
• [18] K. E. Nawyn, "A Security Analysis of System Event Logging with Syslog", SANS Institute, no. As part of the Information Security Reading Room, 2003.
• [19] L. Ying, Z. Yan, and O. Yang-jia, "The design and implementation of host-based intrusion detection system", in Proc. 3rd Int. Symp. Intell. Inform. Technol. Secur. Informat., Jinggangshan, China, 2010, pp. 595-598.
• [20] J. Timofte, "Intrusion Detection using Open Source Tools", Revista Informatica Economicã, no. 2, vol. 46, pp. 75-79, 2008.