SRI Logo
About Us|R and D Divisions|Careers|Newsroom|Contact Us|SRI Home
  SRI Logo

A Comparison of Alternative Audit Sources for Web Server Attack Detection
 by Dr. Ulf Lindqvist, Magnus Almgren (lead author) & Erland Jonsson.

M. Almgren, E. Jonsson, and U. Lindqvist, A Comparison of Alternative Audit Sources for Web Server Attack Detection, in Proceedings of the 12th Nordic Workshop on Secure IT Systems (NordSec 2007), Reykjavík University, Reykjavík, Iceland, Oct. 11-12, 2007, pp. 101-112.

Most intrusion detection systems available today are using a single audit source for detecting all attacks, even though attacks have distinct manifestations in different parts of the system. In this paper we carry out a theoretical investigation of the role of the audit source for the detection capability of the intrusion detection system (IDS). Concentrating on web server attacks, we examine the attack manifestations available to intrusion detection systems at different abstraction layers, including a network-based IDS, an application-based IDS, and finally a host-based IDS.
Our findings include that attacks indeed have different manifestations depending on the audit source used. Some audit sources may lack any manifestation for certain attacks, and, in other cases contain only events that are indirectly connected to the attack in question. This, in turn, affects the reliability of the attack detection if the intrusion detection system uses only a single audit source for collecting security-relevant events. Hence, we conclude that using a multisource detection model increases the probability of detecting a range of attacks directed toward the web server. We also note that this model should account for the detection quality of each attack / audit stream to be able to rank alerts.


About Us  |  R&D Divisions  |  Careers  |  Newsroom  |  Contact Us
© 2024 SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025-3493
SRI International is an independent, nonprofit corporation. Privacy policy