1. 1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006

2. 2 The Problem The number and sophistication of attacks is increasing It is hard to “know” that a system is intact If a system is compromised, what happened? How do we instrument systems for a very high level of security or surveillance? How can we analyze the data?

3. 3 Sebek and Honeynet Honeynet project –An architecture for hacker surveillance –Correlates Kernel logging and network activity Integrates kernel logging, packet capture, and IDS detects –Tunable and extensible kernel logging Replace system call table entries (Linux) Load time filtering Windows XP – Less full feature implementation –Honeywall to control the risk of observing intrusions.

4. 4 Our Setup

5. 5 Hacking Windows and Linux Metasploit framework Not a lot of success in hacking Linux Several successful exploits for Windows Problems with Windows Sebek

6. 6 Data Capture Tools Windows XP Windows Perfmon trace facility SysInternals –Process Explorer –Filemon Sebek Honeynet Snort IDS

7. 7 The Data Process creation / deletion –Process ID and parent process ID XP Process Tree Network connections File system activity –(open, close, read, write) Keystrokes IDS Events

8. 8 XP Process Tree

9. 9 Analysis

10. 10 Analysis (cont)

11. 11 Performance Observations No formal performance analysis No noticeable performance impact If extensive logging is turned on then there is an impact – You can’t log everything

12. 12 Conclusions A modest amount of logging can greatly aid in forensics or detection OS behavior/design can be leveraged –XP Process Tree Combining multiple data sources is needed Honeynet is a good architecture with incomplete tools –Augmenting Sebek with identified data is needed

13. 13 Questions?