A Structured Approach to Selecting Data Collection Mechanisms for Intrusion Detection

A Structured Approach to Selecting Data Collection Mechanisms for Intrusion Detection

Ulf E. Larson (Chalmers University of Technology, Sweden & Omegapoint, Sweden), Erland Jonsson (Chalmers University of Technology, Sweden) and Stefan Lindskog (Norwegian University of Science and Technology, Sweden & Norway and Karlstad University, Sweden)
DOI: 10.4018/978-1-60960-836-1.ch001
OnDemand PDF Download:
No Current Special Offers


This chapter aims at providing a clear and concise picture of data collection for intrusion detection. It provides a detailed explanation of generic data collection mechanism components and the interaction with the environment, from initial triggering to output of log data records. Taxonomies of mechanism characteristics and deployment considerations are provided and discussed. Furthermore, guidelines and hints for mechanism selection and deployment are provided. The guidelines are aimed to assist intrusion detection system developers, designers, and operators in selecting mechanisms for resource efficient data collection.
Chapter Preview

Anderson (Anderson, 1980) proposed to use data collection and analysis as a means of monitoring computer systems for detection of different types of intruders. Denning (Denning, 1986) proposed An Intrusion-Detection Model and pointed out specific log information that is useful for intrusion detection. Price (Price, 1997) then derived the audit data needs of a number of misuse detection systems and investigated how well conventional operating systems (OSs) collection mechanisms met these needs. It was clear from her report that the collection mechanisms lacked useful content. Axelsson et al. (Axelsson et al., 1998) investigated the impact on detection by carefully selecting a set of system calls as input to the detector. Their paper showed that the detection rate improved when a selected set of data was collected. Wagner and Soto (Wagner & Soto, 2002) further showed that if insufficient data is recorded, an attack may well be treated as normal behavior.

Kuperman (Kuperman, 2004) investigated in his PhD thesis the log data needs of four different types of computer monitoring systems and showed that when log data was carefully selected, the detection rate was improved. Killourhy et al. (Killourhy et al., 2004) discussed the impact of attack manifestations on the ability to detect attacks. Attack manifestations are information items that are not present during normal execution and can thus be the key to reveal attacks. Furthermore, Almgren et al. (Almgren et al., 2007) investigated what impact the use of different log sources had on detection of web server attacks. It was concluded that the properties of the log sources affect the detection capability. Finally, taxonomies regarding data collection mechanisms in general have also been proposed (Albari, 2008; Delgado et al., 2004; Larus, 1993; Schroeder, 1995). Fessi et al. (Fessi et al., 2010), discusses a network based IDS, and also provides a comparison of different types of IDS.

Complete Chapter List

Search this Book: