| || || || || |
A Comparison of Alternative Audit Sources for Web Server Attack Detection
by Dr. Ulf Lindqvist, Magnus Almgren (lead author) & Erland Jonsson.
M. Almgren, E. Jonsson, and U. Lindqvist, A Comparison of Alternative Audit Sources for Web Server Attack Detection, in Proceedings of the 12th Nordic Workshop on Secure IT Systems (NordSec 2007), Reykjavík University, Reykjavík, Iceland, Oct. 11-12, 2007, pp. 101-112.
Most intrusion detection systems available today are using
a single audit source for detecting all attacks, even
though attacks have distinct manifestations in different
parts of the system. In this paper we carry out a theoretical
investigation of the role of the audit source for
the detection capability of the intrusion detection system
(IDS). Concentrating on web server attacks, we examine
the attack manifestations available to intrusion
detection systems at different abstraction layers, including
a network-based IDS, an application-based IDS, and
finally a host-based IDS.
Our findings include that attacks indeed have different
manifestations depending on the audit source used. Some
audit sources may lack any manifestation for certain attacks,
and, in other cases contain only events that are indirectly
connected to the attack in question. This, in turn,
affects the reliability of the attack detection if the intrusion
detection system uses only a single audit source for collecting
security-relevant events. Hence, we conclude that using
a multisource detection model increases the probability of
detecting a range of attacks directed toward the web server.
We also note that this model should account for the detection
quality of each attack / audit stream to be able to rank