The COAST Audit Trail Reduction Group is composed of a number of students and faculty within the COAST Laboratory at Purdue University who are exploring how audit data generated by heterogeneous systems can be efficiently stored and processed for such purposes as the detection of intrusion or misuse.

Purpose of the Group

The purpose of the COAST Audit Trail Reduction Group within COAST is to develop techniques and, ultimately, tools to efficiently reduce audit data, both in the sense of economizing storage space and in the sense of abstracting higher-level, more useful information for security administrators.

Problem Statement

Trusted systems must maintain audit trails of system activity in order that actions counter to policy may be traced back to accountable individuals. Even where foul play is not suspected, audit trails can be useful in restoring data integrity following innocent mistakes or failures of software.

Unfortunately, if an audit trail is to be useful in tracing back an event after the fact, it must at all times record many system events at a fine level of detail. The result is a great volume of data, most of it uninteresting, which must be generated and stored in the hope that, if a suspicious event takes place, the few critical records will be present that are needed to trace the event.

The sheer volume of typical audit trails gives rise to two problems:

  • The expense of storing audit trails can be significant, so space-efficient storage techniques must be developed.
  • The audit trails must be processed somehow to provide security administrators with only the information of interest rather than mountains of data.

Because audit records are generated rapidly in real time, the processing required to address both problems must also be time-efficient.

The two problems are interrelated. Compression techniques applied to reduce storage expense may complicate the later processing of the trail. Conversely, the same techniques used to condense low-level detail into concise information for the security administrator can be used to reduce the information stored. This is a special example of a lossy compression technique, one where the loss can be explicitly tailored according to the needs of the security administrator.

A number of currently-available systems provide auditing and include tools for the reduction/abstraction of their own audit trails. However, the system designers generally make different decisions regarding what details should be recorded, and the tools tend to be specific to those systems.

In deciding what details to record, designers take a calculated risk which is also inherent whenever details are condensed into higher-level records to save storage. The risk is that, when a suspicious event takes place, key details needed to retrace it may not have been retained. Deciding what best to include in audit trails to minimize this risk is a goal of the COAST Audit Trails Format Group and closely related to the work of this group.

The problem of processing audit trails automatically to report only remarkable sequences of events encompasses audit reduction, misuse detection, and intrusion detection.

To develop better and more general solutions requires reviewing multiple systems, and the effort to develop improved tools is most justified if the tools can be easily adapted to many systems.

Near-Term Goals

  • In cooperation with the COAST Audit Trails Format Group, specify a representation for audit data that can consistently express elements common to many platforms or audit sources and also represent elements specific to a certain platform.
  • Develop a suite of tools using this representation for input and/or output and usable for common data reduction and intrusion or misuse detection tasks. For example:
  • Develop a converter from Sun Basic Security Module native audit format into the new representation.
  • Develop an efficient lossless compression tool optimized to compress the new representation.
  • Specify a language for the description of patterns to be matched against the new data representation for purposes of intrusion or misuse detection or data reduction.
  • Develop an efficient pattern-matching engine accepting multiple patterns described in this language and able to match for any of them in an input stream in the new data representation. One possible action from any state in a pattern should be the production of a properly-formatted new record in the new data representation on a specified output stream.

Related Information

Current Status

Sponsors

Members of the Group

The Audit Trail Reduction Group is composed of the following COAST students and faculty:
  • Gene Spafford, Director
  • Mike Atallah, Faculty
  • Hoi Chang, Graduate Student
  • Chapman Flack, Graduate Student
  • Saumil Shah, Graduate Student



COAST Audit Trail Reduction Group