Sciweavers

RAID
1999
Springer

Audit logs: to keep or not to keep?

14 years 4 months ago
Audit logs: to keep or not to keep?
We approached this line of inquiry by questioning the conventional wisdom that audit logs are too large to be analyzed and must be reduced and filtered before the data can be analyzed or stored. The audit facilities of contemporary operating systems (Solaris, Windows NT) do not suit the needs of intrusion detection systems (IDS) well. Many types of computers (e.g., small, mobile, or embedded systems) do not have sufficient resources for conventional audit logging facilities. Our research proposes to create separate audit facilities to serve intrusion detection systems (IDS) and to meet the needs of long-term storage (archival) of audit logs. In general, IDS want to characterize activity at the level of users, sessions and application transactions while gs present activity at the system call, process and network packet level of abstraction. Users do not want audit processing to detract from application performance. Thus, we are constructing audit processing modules in the kernel that p...
Christopher Wee
Added 04 Aug 2010
Updated 04 Aug 2010
Type Conference
Year 1999
Where RAID
Authors Christopher Wee
Comments (0)