Host Based Intrusion Detection: Analyzing System Logs

1
Host Based Intrusion Detection Analyzing System
Logs

• Bob Winding, Vikram Ahmed
• University of Notre Dame
• 12/13/2006

2
The Problem

• The number and sophistication of attacks is
  increasing
• It is hard to know that a system is intact
• If a system is compromised, what happened?
• How do we instrument systems for a very high
  level of security or surveillance?
• How can we analyze the data?

3
Sebek and Honeynet

• Honeynet project
• An architecture for hacker surveillance
• Correlates Kernel logging and network activity
• Integrates kernel logging, packet capture, and
  IDS detects
• Tunable and extensible kernel logging
• Replace system call table entries (Linux)
• Load time filtering
• Windows XP Less full feature implementation
• Honeywall to control the risk of observing
  intrusions.

4
Our Setup
5
Hacking Windows and Linux

• Metasploit framework
• Not a lot of success in hacking Linux
• Several successful exploits for Windows
• Problems with Windows Sebek

6
Data Capture Tools

• Windows XP
• Windows Perfmon trace facility
• SysInternals
• Process Explorer
• Filemon
• Sebek
• Honeynet Snort IDS

7
The Data

• Process creation / deletion
• Process ID and parent process ID
• XP Process Tree
• Network connections
• File system activity
• (open, close, read, write)
• Keystrokes
• IDS Events

8
XP Process Tree
9
Analysis
10
Analysis (cont)
11
Performance Observations

• No formal performance analysis
• No noticeable performance impact
• If extensive logging is turned on then there is
  an impact You cant log everything

12
Conclusions

• A modest amount of logging can greatly aid in
  forensics or detection
• OS behavior/design can be leveraged
• XP Process Tree
• Combining multiple data sources is needed
• Honeynet is a good architecture with incomplete
  tools
• Augmenting Sebek with identified data is needed

13
Questions?