Application-Integrated Data Collection for Security Monitoring

Almgren, Magnus; Lindqvist, Ulf

doi:10.1007/3-540-45474-8_2

Application-Integrated Data Collection for Security Monitoring

Magnus Almgren⁷ &
Ulf Lindqvist⁷

Conference paper
First Online: 01 January 2001

757 Accesses
21 Citations

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2212))

Abstract

This paper describes a new approach to collecting real-time transaction information from a server application and forwarding the data to an intrusion detection system. While the few existing application-based intrusion detection systems tend to read log files, the proposed application-integrated approach uses a module coupled with the application to extract the desired information. The paper describes the advantages of this approach in general, and how it complements traditional network-based and host-based data collection methods. The most compelling benefit is the ability to monitor transactions that are encrypted when transported to the application and therefore not visible to network traffic monitors. Further benefits include full insight into how the application interprets the transaction, and data collection that is independent of network line speed. To evaluate the proposed approach, we designed and implemented a data-collection module for the Apache Web server. Our experiments showed that the required implementation effort was moderate, that existing communication and analysis components could be used without incurring adaptation costs, and that the performance impact on the Web server is tolerable. Keywords: Intrusion detection, application, application-integrated, module, Web server, Apache.

The work described here is currently funded by DARPA/ATO under contract number F30602-99-C-1049 and contract number F30602-98-C-0059. The views herein are those of the author(s) and do not necessarily reflect the views of the supporting agency.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

M. Almgren, H. Debar, and M. Dacier. A lightweight tool for detecting web server attacks. In Proceedings of the 2000 ISOC Symposium on Network and Distributed Systems Security, pages 157–170, San Diego, California, Feb. 2-4, 2000.
Google Scholar
W. R. Cheswick and S. M. Bellovin. Firewalls and Internet Security:R epelling the Wily Hacker. Addison-Wesley, 1994.
Google Scholar
T. E. Daniels and E. H. Spafford. Identification of host audit data to detect attacks on low-level IP vulnerabilities. Journal of Computer Security, 7(1):3–35, 1999.
Google Scholar
T. E. Daniels and E. H. Spafford. A network audit system for host-based intrusion detection (NASHID) in Linux. In Proceedings of the 16th Annual Computer Security Applications Conference, New Orleans, Louisiana, Dec. 11-15, 2000.
Google Scholar
B. Dayioglu, Mar. 2001. http://yunus.hacettepe.edu.tr/~burak/modid/.
K. A. Jackson. Intrusion detection system (IDS) product survey. Technical Report LA-UR-99-3883, Los Alamos National Laboratory, Los Alamos, New Mexico, June 25, 1999. Version 2.1.
Google Scholar
The Netcraft Web server survey, Feb. 2001. http://www.netcraft.com/survey/.
P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353–365, Baltimore, Maryland, Oct. 7-10, 1997. National Institute of Standards and Technology/National Computer Security Center. 36 M. Almgren and U. Lindqvist
Google Scholar
T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Calgary, Alberta, Canada, Jan. 1998. http://www.clark.net/~roesch/idspaper.html.
RadView Software, Inc., Mar. 2001. http://www.radview.com/.
Sanctum, Inc., Mar. 2001. http://www.sanctuminc.com/.
L. Stein and D. MacEachern. Writing Apache Modules with Perl and C. O’Reilly & Associates, 1999.
Google Scholar

Download references

Author information

Authors and Affiliations

System Design Laboratory, SRI International, 333 Ravenswood Ave, Menlo Park, CA, 94025, USA
Magnus Almgren & Ulf Lindqvist

Authors

Magnus Almgren
View author publications
You can also search for this author in PubMed Google Scholar
Ulf Lindqvist
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Georgia Institute of Technology, College of Computing, 801 Atlantic Drive, Atlanta, Georgia, 30332-0280, USA
Wenke Lee
SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France
Ludovic Mé
IBM Research, Zurich Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland
Andreas Wespi

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Almgren, M., Lindqvist, U. (2001). Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_2

Download citation

DOI: https://doi.org/10.1007/3-540-45474-8_2
Published: 27 September 2001
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics