Académique Documents
Professionnel Documents
Culture Documents
I. INTRODUCTION
Security audit is an important part of information security
management. Event log plays an important role. However,
when security auditor is in the face of large amount of logs in
the form of records, it is impractical to browse and analyze
them. Acquiring sensitive security audit events (SSAE) and
Visualizing correlations of them is important for security
audit.
There are several difficulties to achieve above goal. Firstly,
audit events are of huge amount and different kinds, some of
them contain little useful information. Audit events generally
have a property named urgent level, its value can be warning,
mistake, information and so on, but they often cannot reflect
potential threats. We can not acquire SSAE only by that event
property. Thirdly, to visualize audit events correlation, it is
better to have an event visualization model theory, but there
are no related woks currently.
To overcome above problems, in section three we start from
sensitive events object selection, and then acquire SSAE. In
section four, we give a security audit event visualization
model. Section five gives acquisition process of events causal
relationship. Section six gives an experiment example, and we
conclude in section seven.
II. RELATED WORKS
Currently, there are some log analysis tools and techniques
[1].Their event correlation methods are mainly used for
network fault management, and some of them have been used
to security management and intrusion detection. But they
1514
1515
Subject(Certificate)
Root(key)
User(passwords)
Anonymous( )
Actions(objects)
Read (A,B),write(A,B)
Read (A,B),write(B)
Read (A,B)
Action
IPSweep
PortScan
Chaos
query
TSIG
overflow
Prerequisite
Access(SrcIP)
Access(SrcIP) and
IsAlive(DestIP)
ExistService(DestIP, DNS)
Consequence
IsAlive(DestIP)
OpenPort(DestIP,
Port)
DNSVersion
(DestIP,Version)
DNSVersion
(DestIP,ISC BIND 8.2.2)
Access(DestIP)
FTP
IsAlive(DestIP)
FTPVersion
(DestIP,Version)
Wuftp
Overflow
DNSVersion(DestIP, wuftp2.6.2)
Access(DestIP)
1516
exceeds MinSup in E.
2) Increase sliding window, (len=len+1), make the left
boundary of the sliding window lap over e1 , get subsequence Sub1 ={e1 ,e2 ...elen } .
3) Slide the window until the right boundary of the sliding
window lap over en , after every sliding step, we can get a subsequence length of len. When the sliding process is finished,
we
can
get
n-len+1
sub-sequences length of
len, Subi ={ei ,ei +1...ei + len 1}( i =1,2,... n len +1) , compute the
support of these n-len+1 sub-sequences, get the sequences met
by the MinSup.
4) Repeat the second and the third step until len=Maxlen.
Some examples of dynamic rules can be seen in table 3. The
sequence pattern shows the users command habit.
TABLE III
DYNAMIC RULES ACQUIRED BY SEQUENCE MINING
MinSup
30%
40%
15%
20%
Sequence pattern
su->tcsh->ls
ls->ls/etc
ls->mail->su->tcsh->ls->df
ls->cat/etc/passwd
From the above static and dynamic rules, we get the causal
relationship among audit events. We give experiment in
section 6.
VI. EXPERIMENTS
1517
Table V
DYNAMIC RULES ACQUIRED IN EXPERIMENT
User
Wu
Liangz
pj
yongw
kk
jingyu
yuhan
baby
sweet
Sequence pattern
(network_http , google.cn)>(network_load, xxx.pdf)
(app, msdev.exe) ->(app , softtice.exe) ->
(app,vmware.exe)
(log_in, firewall)->(file_read, firewalllog)>(policy_mod, xxx.policy)
(log_in, managecenter)->(policy_check ,
xxx.policy)
(app, word.exe)->(file_rename, xx.word)>(file_copy, xxx.word)>(file_new,xxx.word)
(network_http ,business.sohu.com)>(app,ztzq.exe)->(app, ztjy.exe)>(network_http, guba.com)
(network_http, 163.com)-(network_email,
xxx.txt)
(network_http,baidu.com)>(network_load,xxx.mp3)>(app,TTplayer.exe)
(app, ppt.exe)->(device_add,
mobiledeviceA)->
(file_new, xxx.ppt)->(device_del,
molbiledeviceA)
MinSup
10%
15%
15%
10%
12%
15%
10%
8%
18%
1518
ACKNOWLEDGMENT
Financial supports from China 863 project are highly
appreciated. The helpful comments from reviewers are also
gratefully acknowledged.
REFERENCES
[1] Risto Vaarandi. SEC a Lightweight Event Correlation Tool.
Proceedings of the 2002 IEEE Workshop on IP Operations and
Management, pp. pp.111-115. 2002.
[2] Takada T, Koike H. Tudumi: information visualization system for
monitoring and auditing computer logs. Proceedings of the Sixth
International Conference on Information Visualization (IV'02), 2002
[3] S.G. Eick and P.J. Lucas: Displaying trace files, Software Practice and
Experience, Vol.26, No.4, pp.399-409, 1996.
[4] Becker, R.A., Eick, S.G and Wilks, A.R.: Visualizing Network Data,
IEEE Trans. Visualization and Computer Graphics, Vol.1, No.1, pp.1628, 1995.
1519