Abstract
This chapter aims at providing a clear and concise picture of data collection for intrusion detection. It provides a detailed explanation of generic data collection mechanism components and the interaction with the environment, from initial triggering to output of log data records. Taxonomies of mechanism characteristics and deployment considerations are provided and discussed. Furthermore, guidelines and hints for mechanism selection and deployment are provided. Finally, this chapter presents a set of strategies for determining what data to collect, and it also discusses some of the challenges in the field. An appendix providing a classification of 50 studied mechanisms is also provided. This chapter aims at assisting intrusion detection system developers, designers, and operators in selecting mechanisms for resource-efficient data collection.
Top
Anderson (1980) proposed to use data collection and analysis as a means of monitoring computer systems for detection of different types of intruders. Denning (1986) proposed An Intrusion-Detection Model and pointed out specific log information that is useful for intrusion detection. Price (1997) then derived the audit data needs of a number of misuse detection systems and investigated how well conventional operating systems (OSs) collection mechanisms met these needs. It was clear from her report that the collection mechanisms lacked useful content. Axelsson et al. (1998) investigated the impact on detection by carefully selecting a set of system calls as input to the detector. Their paper showed that the detection rate improved when a selected set of data was collected. Wagner & Soto (2002) further showed that if insufficient data is recorded, an attack might well be treated as normal behavior.
Kuperman (2004) investigated in his PhD thesis the log data needs of four different types of computer monitoring systems and showed that when log data was carefully selected, the detection rate was improved. Killourhy et al. (2004) discussed the impact of attack manifestations on the ability to detect attacks. Attack manifestations are information items that are not present during normal execution and can thus be the key to reveal attacks. Furthermore, Almgren et al. (2007) investigated what impact the use of different log sources had on detection of web server attacks. It was concluded that the properties of the log sources affect the detection capability. Finally, taxonomies regarding data collection mechanisms in general have also been proposed (Albari, 2008; Delgado et al., 2004; Larus, 1993; Schroeder, 1995). Fessi et al. (2010), discusses a network based IDS, and also provides a comparison of different types of IDS.
Key Terms in this Chapter
Security Log: A security log stores log record in chronological order. The terms security log and audit trail are often used interchangeably within the security community.
Intrusion: The term intrusion is in this context simply defined as an attack on a computer system, resulting in a breach.
Audit Data: A chronological record of system activities.
Intrusion Detection: Intrusion detection is the process of identifying attacks or attack attempts. This process could be performed either manually or automatically.
Intrusion Detection System (IDS): An automated system used to warn operators of intrusions or intrusion attempts. An IDS is implemented in software and/or hardware.
Taxonomy: Taxonomy is the science and practice of classification. Taxonomies are used when categorizing real-life as well as artificial phenomenon and the aim is to make systematic studies easier.
Data Collection: The process of capturing events in a computer system. The result of a data collection operation is a log record. The term logging is often used as a synonym for data collection.