A Comparison of Alternative Audit Sources for Web Server Attack Detection

• Most intrusion detection systems available today are usinga single audit source for detecting all attacks, eventhough attacks have distinct manifestations in differentparts of the system. In this paper we carry out a theoretical investigation of the role of the audit source for the detection capability of the intrusion detection system (IDS). Concentrating on web server attacks, we examine the attack manifestations available to intrusiondetection systems at different abstraction layers, includinga network-based IDS, an application-based IDS, andfinally a host-based IDS.Our findings include that attacks indeed have differentmanifestations depending on the audit source used. Someaudit sources may lack any manifestation for certain attacks, and, in other cases contain only events that are indirectly connected to the attack in question. This, in turn, affects the reliability of the attack detection if the intrusion detection system uses only a single audit source for collecting security-relevant events. Hence, we conclude that using a multisource detection model increases the probability of detecting a range of attacks directed toward the web server. We also note that this model should account for the detection quality of each attack / audit stream to be able to rank alerts.Keywords: intrusion detection, attack manifestations

Ämnesord

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Sciences (hsv//eng)

Nyckelord

intrusion detection

attack manifestations

Publikations- och innehållstyp

kon (ämneskategori)

ref (ämneskategori)