A categorization of computer security monitoring systems and the impact on the design of audit sources
Traditionally, computer security monitoring systems are built around the audit systems supplied by operating systems. These OS audit sources were not necessarily designed to meet modern security needs. This dissertation addresses this situation by categorizing monitoring systems based on their goals of detection and the time constraints of operation. This categorization is used to clarify what information is needed to perform detection as well as how the audit system should be structured to supply it in an appropriate manner. A prototype audit source was designed and constructed based on the information from the categorization. This audit system supplies information based on the type of detection to be performed. The new audit source was compared against an existing OS audit source and shown to have less overhead in many instances, generate a smaller volume of data, and generate useful information not currently available. ^
Major Professor: Eugene H. Spafford, Purdue University.