16th Annual Computer Security Applications Conference
December 11-15, 2000
New Orleans, Louisiana
A Network Audit System for Host-based Intrusion Detection (NASHID) in Linux
Thomas E. Daniels &
Eugene H. Spafford
Recent work has shown that conventional operating system audit trails are insufficient
to detect low-level network attacks. Because audit trails are typically based upon
system calls or application sources, operations in the network protocol
stack go unaudited. Earlier work has determined the audit data needed to detect low-level
In this paper we describe an implementation of an audit system which collects this data and
analyze the issues that guided the implementation.
Finally, we report the performance impact on the system and the rate of audit data accumulation
in a test network.
Read Paper (in PDF)