Extracting attack manifestations to determine log data requirements for intrusion detection

Emilie Lundin Barse
Chalmers University of Technology

Erland Jonsson
Chalmers University of Technology

Log data adapted for intrusion detection is a little explored research
issue despite its importance for successful and efficient detection of
attacks and intrusions. This paper presents a starting point in the
search for suitable log data by providing a framework for determining
log data requirements of attacks. By concentrating on exactly the log
entries added, changed or removed by the attack compared to normal
behaviour, i.e. the attack manifestations, we can determine the log
data that can be selected for detection of the attack. We demonstrate
the use of the framework by studying attacks in different types of log
data. This study indicates that only a limited part of the components
in the log data are actually useful for attack detection. This work
provides some of the fundamentals needed for defining a collection of
log elements that are both sufficient and necessary for detection of a
specific group of attacks, i.e. a new log data source adapted to
intrusion detection.

Keywords: Intrusion detection, attack manifestations, log data, data collection

Read Paper Read Paper (in PDF)