Better Logging through Formality

Flack, Chapman; Atallah, Mikhail J.

doi:10.1007/3-540-39945-3_1

Better Logging through Formality

Applying Formal Specification Techniques to Improve Audit Logs and Log Consumers

Chapman Flack⁷ &
Mikhail J. Atallah⁷

Conference paper
First Online: 11 November 2000

877 Accesses
6 Citations

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1907))

Abstract

We rely on programs that consume audit logs to do so successfully (a robustness issue) and form the correct interpretations of the input (a semantic issue). The vendor’s documentation of the log format is an important part of the specification for any log consumer. As a specification, it is subject to improvement using formal specification techniques. This work presents a methodology for formalizing and refining the description of an audit log to improve robustness and semantic accuracy of programs that use the log. Ideally applied during design of a new format, the methodology is also profitably applied to existing log formats. Its application to Solaris BSM (an existing, commercial format) demonstrated utility by detecting ambiguities or errors of several types in the documentation or implementation of BSM logging, and identifying opportunities to improve the content of the logs. The products of this work are the methodology itself for use in refining other log formats and their consumers, and an annotated, machine-readable grammar for Solaris BSM that can be used by the community to quickly construct applications that consume BSM logs.

Supported in part by an Intel Foundation Graduate Fellowship, by contracts MDA904-96-1-0116 and MDA904-97-6-0176 from Maryland Procurement Office, and by sponsors of the Center for Education and Research in Information Assurance and Security.

Supported in part by Grant EIA-9903545 from the National Science Foundation, and by sponsors of the Center for Education and Research in Information Assurance and Security.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Matt Bishop. A standard audit trail format. In Proceedings of the 1995 National Information Systems Security Conference, pages 136–145, Baltimore, Maryland, October 1995.
Google Scholar
Mark Crosbie, Bryn Dole, Todd Ellis, Ivan Krsul, and Eugene Spafford. IDIOT users guide. Technical Report TR-96-050, Purdue University, September 1996.
Google Scholar
J. Gosling, B. Joy, and G. Steele. The Java Language Specification. Addison-Wesley, 1996.
Google Scholar
John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979.
Google Scholar
Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. MS thesis, University of California, Santa Barbara, November 1992.
Google Scholar
SRI International. EMERALD website. http://www.sdl.sri.com/emerald/, April 2000.
Ulf Lindqvist and Phillip A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, October 1999.
Google Scholar
Sun Microsystems. SunSHIELD Basic Security Module Guide. Sun Microsystems, 901 San Antonio Road, Palo Alto, California, Solaris 2.6 edition, 1997. Part Number 802-5757-10.
Google Scholar
P. Mockapetris. Domain names-concepts and facilities. STD 13, ISI, November 1987.
Google Scholar
Abdelaziz Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. D.Sc. thesis, Universitaires Notre-Dame de la Paix Namur (Belgium), September 1997.
Google Scholar
Terence Parr. ANTLR website. http://www.antlr.org/, February 2000.
Terence John Parr. Obtaining Practical Variants of LL(k) and LR(k) for k > 1 by Splitting the Atomic k-tuple. PhD thesis, Purdue University, August 1993.
Google Scholar
Manfred Ruschitzka. Two-level grammars for data conversions. Future Generation Computer Systems, pages 373–380, 1990.
Google Scholar
Brian Tung. Common intrusion detection framework. http://www.gidos.org/, November 1999.

Download references

Author information

Authors and Affiliations

CERIAS, Purdue University, 1315 Recitation Bldg., West Lafayette, IN, 47907-1315, USA
Chapman Flack & Mikhail J. Atallah

Authors

Chapman Flack
View author publications
You can also search for this author in PubMed Google Scholar
Mikhail J. Atallah
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

France Télécom R & D, 42 Rue des Coutoures, 14000, Caen, France
Hervé Debar
SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France
Ludovic Mé
Department of Computer Science, 2063 Engineering II, University of California at Davis, One Shields Avenue, Davis, CA, 95616-8562, USA
S. Felix Wu

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Flack, C., Atallah, M.J. (2000). Better Logging through Formality. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_1

Download citation

DOI: https://doi.org/10.1007/3-540-39945-3_1
Published: 11 November 2000
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41085-0
Online ISBN: 978-3-540-39945-2
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics