A Structured Overview of Data Collection with a Focus on Intrusion Detection

• Collection and analysis of audit data is a critical component in many computer-related activities, such as debugging, measurement, and detection. Data is required to be correct and to be delivered in a timely fashion. Additionally, the data should be sparse to reduce the amount of resources used to collect and store it. At the same time, the data must contain the necessary attributes with respect to the goal of the collection. The production of audit data depends directly on the deployed data collection mechanisms. Adequate mechanism knowledge is thus a critical resource for software developers, security officers, and system administrators and operators. This report aims at providing a clear and concise picture of how data collection mechanisms work. It provides a detailed explanation of generic data collection mechanism components and the interaction with the environment, from initial triggering to output of log data records. Furthermore, it provides a taxonomy of mechanism characteristics based on previously published theoretical results [43, 44]. Guidelines and hints for mechanism selection are provided and examples of application fields that benefit from proper mechanism knowledge are presented. An extensive appendix contains 50 surveyed mechanisms. We believe that the classification and the guidelines can be used to assist system administrators and operators in performing resource efficient mechanism selection. The guidelines and the classification can also be used when a specific type of data collection is desired. For example, it is easy to find out what mechanisms collect samples for execution profiling, and what mechanisms that can be reconfigured without the need for restart. This is a valuable source of information that reduces the need to browse multiple manual pages and whitepapers to find the desired mechanism. Furthermore, by using the selection guidelines, we can obtain a more resource efficient data collection and obtain a more accurate data analysis

Ämnesord

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Sciences (hsv//eng)

Nyckelord

data collection

intrusion

intrusion detection

logging

taxonomy

Datavetenskap

Computer Science

Publikations- och innehållstyp

ref (ämneskategori)

rap (ämneskategori)