Efficient Gathering of Computer Audit Data Before and During Attack
Original Publication Date: 2004-May-19
Included in the Prior Art Database: 2004-May-19
An idea is disclosed, which allows to keep a very high amount of detailed log data of a computer system not only from the time after an attack, but also from some time before the attack. In the physical security/video surveillance world, it is possible today in products that video cameras can write their stream into a local buffer, reflushing after x minutes. In case of an alarm of another sensor (like a door opening etc), the system can tell the camera to keep this data plus some more minutes after the event and send it to the server, where the video snippet will be associated with the alarm - thereby capturing data during the alarm/intrusion. Obviously it is especially important that one also keeps data from before the alarm until after the alarm. A similar solution is disclosed here for the area of computer security: An extensive amount of logging/auditing could be enabled continuously on the computer system, but data will be only kept for x minutes (in memory, or a round-robin file etc), thereby reducing memory and resource consumption. Then, when an alarm from an intrusion detection sensor tells the central server that the host was the target of an attack, the system contacts the host (via a secured channel) and gathers immediately the existing audit information in the buffer from before until after the alarm for analysis and forensics. Optionally, logging behaviour could be changed to allow for more extensive, or remote instead of local, logging on the attacked machine. These audit data can be attached to the security alarm and serve for detailed analysis of the intrusion (attempt). To keep e.g. the process and I/O activity during the attack (starting before the attack) for analysis greatly helps with the understanding of the results of the attack (especially, if it was successful or not, what was changed by the attacker etc).