Host Based Intrusion Detection: Analyzing System Logs - PowerPoint PPT Presentation

About This Presentation
Title:

Host Based Intrusion Detection: Analyzing System Logs

Description:

1. Host Based Intrusion Detection: Analyzing System Logs. Bob Winding, Vikram Ahmed ... The number and sophistication of attacks is increasing ... – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 14
Provided by: boband9
Learn more at: https://www3.nd.edu
Category:

less

Transcript and Presenter's Notes

Title: Host Based Intrusion Detection: Analyzing System Logs


1
Host Based Intrusion Detection Analyzing System
Logs
  • Bob Winding, Vikram Ahmed
  • University of Notre Dame
  • 12/13/2006

2
The Problem
  • The number and sophistication of attacks is
    increasing
  • It is hard to know that a system is intact
  • If a system is compromised, what happened?
  • How do we instrument systems for a very high
    level of security or surveillance?
  • How can we analyze the data?

3
Sebek and Honeynet
  • Honeynet project
  • An architecture for hacker surveillance
  • Correlates Kernel logging and network activity
  • Integrates kernel logging, packet capture, and
    IDS detects
  • Tunable and extensible kernel logging
  • Replace system call table entries (Linux)
  • Load time filtering
  • Windows XP Less full feature implementation
  • Honeywall to control the risk of observing
    intrusions.

4
Our Setup
5
Hacking Windows and Linux
  • Metasploit framework
  • Not a lot of success in hacking Linux
  • Several successful exploits for Windows
  • Problems with Windows Sebek

6
Data Capture Tools
  • Windows XP
  • Windows Perfmon trace facility
  • SysInternals
  • Process Explorer
  • Filemon
  • Sebek
  • Honeynet Snort IDS

7
The Data
  • Process creation / deletion
  • Process ID and parent process ID
  • XP Process Tree
  • Network connections
  • File system activity
  • (open, close, read, write)
  • Keystrokes
  • IDS Events

8
XP Process Tree
9
Analysis
10
Analysis (cont)
11
Performance Observations
  • No formal performance analysis
  • No noticeable performance impact
  • If extensive logging is turned on then there is
    an impact You cant log everything

12
Conclusions
  • A modest amount of logging can greatly aid in
    forensics or detection
  • OS behavior/design can be leveraged
  • XP Process Tree
  • Combining multiple data sources is needed
  • Honeynet is a good architecture with incomplete
    tools
  • Augmenting Sebek with identified data is needed

13
Questions?
Write a Comment
User Comments (0)
About PowerShow.com