Paradigms for the Reduction of Audit Trails

Get BibTex-formatted data

Author

Bradford Rice Wetmore

Entry type

phdthesis

Abstract

Most automated packages for intrusion detection focus on determining if a collection of audit data is suspicious. Package developers assume that the System Security Officer (SSO) will combine the results of their tools with a careful inspection of the logs to determine if indeed there is evidence of intrusive activity. In practice, most administrators rely exclusively on the conclusions generated by such packages. As a result, very few methods have been developed to browse the raw audit trails. This thesis presents a new approach to this problem. By treating conceptual entities in an audit trail as objects, a framework for observing how entities interact can be developed. All of the records of interest are first scanned to determine the objects and actions of interest. During this initial scanning phase, the objects are interconnected based on how each affects the other, much like a directed graph. The vertices and edges represent the objects and actions respectively. Then, by focusing initially on one object of interest, a SSO can quickly determine how that object affected or was affected by any other object by noting the direction and type of edge connecting the nodes. Say, for example, a process with limited privilege was able to create a new process with unlimited privileges by executing one action. The two processes are represented by the vertices, and the action of gaining privilege could be represented by a directed edge from the first process to the second. Thus by focusing on these new objects, the SSO can then determine how other nodes were directly or indirectly affected by the first object simply by following the next set of edges. An initial prototype program was produced and focused on the UNIX operating system model, and was fairly successful in following entities in the audit trail. Later efforts tried to extrapolate the model to more general comutational systems. Of course, the SSO must still possess technical knowledge of any system to fully analyze the data and realize the implications of the actions therein: there is no substitute for such expertise. This thesis presents a new methodology for browsing such data.

Date

1993

URL

http://seclab.cs.ucdavis.edu/papers/wetmore.thesis.pdf

Institution

University of California Davis

Key alpha

Wetmore

Publication Date

2001-01-01

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Phdthesis{ Wetmore,
	title = "Paradigms for the Reduction of Audit Trails",
	author = "Bradford Rice Wetmore",
	year = "1993",
	institution = "University of California Davis",
	abstract = "Most automated packages for intrusion detection focus on determining if a
collection of audit data is suspicious. Package developers assume that
the System Security Officer (SSO) will combine the results of their
tools with a careful inspection of the logs to determine if indeed there
is evidence of intrusive activity. In practice, most administrators
rely exclusively on the conclusions generated by such packages. As a
result, very few methods have been developed to browse the raw audit
trails. This thesis presents a new approach to this problem.
By treating conceptual entities in an audit trail as objects, a
framework for observing how entities interact can be developed. All of
the records of interest are first scanned to determine the objects
and actions of interest. During this initial scanning phase, the
objects are interconnected based on how each affects the other, much
like a directed graph. The vertices and edges represent the objects
and actions respectively. Then, by focusing initially on one object
of interest, a SSO can quickly determine how that object affected or
was affected by any other object by noting the direction and type of
edge connecting the nodes. Say, for example, a process with limited
privilege was able to create a new process with unlimited privileges
by executing one action. The two processes are represented by the
vertices, and the action of gaining privilege could be represented
by a directed edge from the first process to the second. Thus by
focusing on these new objects, the SSO can then determine how other
nodes were directly or indirectly affected by the first object
simply by following the next set of edges.
An initial prototype program was produced and focused on the UNIX
operating system model, and was fairly successful in following
entities in the audit trail. Later efforts tried to extrapolate
the model to more general comutational systems.
Of course, the SSO must still possess technical knowledge of any
system to fully analyze the data and realize the implications
of the actions therein: there is no substitute for such expertise.
This thesis presents a new methodology for browsing such data.",
	url = "http://seclab.cs.ucdavis.edu/papers/wetmore.thesis.pdf",
}