Browse Prior Art Database

Efficient Gathering of Computer Audit Data Before and During Attack

IP.com Disclosure Number: IPCOM000028538D
Original Publication Date: 2004-May-19
Included in the Prior Art Database: 2004-May-19
Document File: 2 page(s) / 45K

Publishing Venue

IBM

Abstract

An idea is disclosed, which allows to keep a very high amount of detailed log data of a computer system not only from the time after an attack, but also from some time before the attack.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Efficient Gathering of Computer Audit Data Before and During Attack

Meaningful, reliable audit/log traces useful for forensic analysis in computer security

are basically a necessity for any security analysis, but can quickly get very large (e.g. in the order of 100Mb/hour, see [1]), adding a significant performance hit onto computer systems. Therefore in practice only a low level of audit data is gathered, which is not allowing a detailed forensic analysis in case of an intrusion (attempt). in case of a successful intrusion on a computer system, the attacker can in most

cases change audit/log traces, thereby making an analysis of the intrusion very hard resp. destroying the evidence and consequences and repercussions of an intrusion.

Current solutions: usually in security conscious organizations a compromise is taken: a manageable size of log data (restricted in detail and number of machines - see e.g. [1], [2]) is taken to a central server (to avoid tampering of an attacker) and stored for a time, which allows for discovery of a intrusion (attempt) and analysis of the logs, before removal of the log data. alternatively, cryptographic methods are used to make available logs tamper resistent and destroying of log data at least detectable [3]

This compromise is unsatisfactory from a intrusion detection standpoint for security & forensic analysis, therefore an additional solution is proposed here.

In normal operation, the monitored computing systems (1) keep extensive audit logs locally (2) or remotely by sending log data to a central logging server (3), but to keep log files manageable, data is only kept for a very limited time, say x minutes (where x is in the order of about 10 minutes, which should correspond to the worst case reaction time of the deployed intrusion detection system...