[6] in Intrusion Detection Systems
FYI -- Advanced Security audit trail Analysis on uniX (ASAX)
daemon@ATHENA.MIT.EDU (Abdelaziz MOUNJI )
Thu Mar 30 13:51:10 1995
Date: Thu, 30 Mar 95 17:02:18 +0100
From: amo@info.fundp.ac.be (Abdelaziz MOUNJI )
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Hi there,
following the previous posting about known IDSs here is an abstract
about ASAX.
The ASAX project is in two stages. During the first (2 years)
stage, we developed a SINGLE HOST AUDIT TRAIL ANALYSIS system. In the
second stage a DISTRIBUTED AUDIT TRAIL ANALYSIS system was built.
The main features of each system is outlined below:
1. SINGLE HOST AUDIT TRAIL ANALYSIS
Universality:
-------------
Is addressed thanks to the normalized audit file format (NADF).
This NADF format is universal in the sense that we believe that
all existing (and future) audit trails can be translated into it
in a sufficiently straightforward way. Audit trail analysis is
performed on normalized audit trails only. In addition, so-called
Format Adaptors will be provided to translate native audit trails
into normalized format. We have so far developed Format Adaptors
for SunOS 4.1.1, BS2000 and SINIX. A generic Format Adaptor is under
study.
Power:
------
Is provided by the language RUSSEL (RUle-baSed and Sequence Evaluation
Language) allowing to express complex selection criteria dealing with
arbitrary long sequences of records but also allowing to sequentially
process the file *from left to right*. This last feature is of course
mandatory to ensure efficiency as the amount of data to be processed
is very huge. The basic principle is that the information about the past
will be stored in a set of active evaluation rules that will be used to
analyse the next audit record. Those rules will also possibly trigger
off new rules for the analysis of the rest. RUSSEL is tailor-made to
audit trail analysis problem.
Efficiency:
----------
Is achieved on the one hand by the very principle of the rule-based
language allowing to process each record only once and, on the other
hand, by efficient implementation techniques. In addition, ASAX is an
on-line system.
2. DISTRIBUTED AUDIT TRAIL ANALYSIS
This system is a distributed on-line system capable of performing
efficient, intelligent and network-level analysis of security audit
trails in a network of SUN workstations. The distributed system is
in fact an extension of the SINGLE HOSTS AUDIT TRAIL ANALYSIS system
outlined above.
At the network level, the system consists of one central or master machine
and one or more slave machines. Slave machines analyze their local audit
trails and send the filtered audit records to the master machine which
then performs a more intelligent analysis. The filtering of audit data at
each node have all of the features of the HOSTS AUDIT TRAIL ANALYSIS.
These two systems are prototype versions. At present, only the HOSTS AUDIT
TRAIL ANALYSIS is publically available from the following sites:
ftp.info.fundp.ac.be:/pub/projects/asax
ftp://ftp.info.fundp.ac.be/pub/projects/asax
ftp://www.info.fundp.ac.be/~amo
ftp://coast.cs.purdue.edu/pub/tools/unix/asax
All reports and conference papers are included in the above archives.
I am now using the idea behind Kuang (part of COPS) to make ASAX assess
the file protection of security sensitive files ON-LINE. As soon as a
vulnerability is found, it is reported (obvious) AND rules are triggered
automatically to watch for attacks exploiting them. This makes the system
predictive. Furthermore, we are developping a (rule-based) language
to express how file protections can be exploited. In Kuang these rules
were hard coded.
Collaboration welcome.
Aziz-
--------------------------+-------------------------------------
| Abdelaziz Mounji | amo@info.fundp.ac.be |
| ASAX project | http://www.info.fundp.ac.be/~amo |
| Institut d'Informatique | voice: +32 81 724987 |
| University of Namur | Fax : +32 81 724967 |
----------------------------------------------------------------
