The Audit Trails Format Group is composed of a number of students and faculty within the COAST Laboratory at Purdue University who are interested in exploring auditing for intrusion detection.

Purpose of the Group

The purpose for the Audit Trails Format Group within COAST is to analyze audit trails to determine the format that is needed for detecting computer intrusions and misuse.

Format refers to the data contained in the audit trails as well as their structure. Questions the group is interested in answering include:

  • What data content would be helpful for detecting intrusions and computer misuse?
  • What data format would be helpful for detecting intrusions and computer misuse?

The answers to these questions will prove valuable during the development of a standard for audit trails to support intrusion and computer misuse detection.

The Need for a Standard for Audit Trails

There is no widely accepted standard for audit data. Each auditing system has its own ad-hoc standard for format and content. The format for audit trails varies greatly from system to system, and each system gathers different data based on what the developer believed was important. The disparity in format and content of audit data impedes progress in intrusion detection.

Current auditing systems often do not supply enough data, and so intrusions are not being detected because of insufficient evidence. Detection tools are often designed for a particular audit source, and migration to a new source is difficult because of the disparity of the data available in different systems and problems with format conversion. To uncover sophisticated attacks, detection systems must analyze data from multiple sources but the disparity in audit data makes the reconciliation of data from multiple sources very difficult. A standard for format and content of audit data would help overcome these problems.

Much research and effort has been devoted to developing efficient and effective intrusion detection systems, but little work has been devoted towards analyzing the input to these systems. The purpose of our group is to determine what data is needed by intrusion detection systems and a common format for storing the data.

Near-Term Goals

Our group has a number of different goals for this project including:

  • determining what data would be useful for detection systems in detecting intruders and misusers
  • determining how to gather and maintain this data in a generic format

Related Information

Current Status

The current focus of the group is on audit content. The question we are focusing on answering is

What audit data would be useful for detecting intrusions and computer misuse?

Current activities include:

  • Tom Daniels is looking at low level network attacks and what audit data can be collected to aid in detecting such attacks
  • examining existing detection systems to see what and how they analayze audit data to detect intrusions
  • interviewing developers and users of intrusion detection systems
  • comparing existing auditing systems to find generalities and what is good/bad about existing systems.
    • currently examining Solaris BSM and Windows NT

Sponsors

Members of the Group

The Audit Trail Reduction Group is composed of the following COAST students and faculty:

  • Gene Spafford, Director
  • Mike Atallah, Faculty
  • Tom Daniels, Graduate Student

COAST Audit Trails Format Group