• Journal of KIISE:Computer Systems and Theory
• /
• v.32 no.6
• /
• pp.279-287
• /
• 2005

File integrity checking is the most reliable method to examine integrity and stability of system resources. It is required to examine the whole data whenever auditing system's integrity, and its process and result depends on administrator's experience and ability. Therefore the existing method is not appropriate to intrusion response and recovery systems, which require a fast response time. Moreover file integrity checking is able to collect information about the damaged resources, without information about the person who generated the action, which would be very useful for intrusion isolation. In this paper, we propose rtIntegrit, which combines system call auditing functions, it is called Syswatcher, with file integrity checking. The rtlntegrit can detect many activities on files or file system in real-time by combining with Syswatcher. The Syswatcher audit file I/O relative system call that is specified on configuration. And it can be easily cooperated with intrusion response and recovery systems since it generates assessment data in the standard IDMEF format.

• The Transactions of the Korea Information Processing Society
• /
• v.6 no.11
• /
• pp.3001-3010
• /
• 1999

The most of intrusion detection methods do not detect intrusion on real-time because it takes a long time to analyze an auditing data for intrusions. To solve the problem, we are studying a real-time intrusion detection. Therefore, this paper proposes an agent model using multi warning level for real-time intrusion detection. It applies to distributed environment using an extensibility and communication mechanism among agents, supports a portability, an extensibility and a confidentiality of IDS.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.9-15
• /
• 2013

Recently, Intrusion detection system is an important technology in computer network system because of has seen a dramatic increase in the number of attacks. The most of intrusion detection methods do not detect intrusion on real-time because difficult to analyze an auditing data for intrusions. A network intrusion detection system is used to monitors the activities of individual users, groups, remote hosts and entire systems, and detects suspected security violations, by both insider and outsiders, as they occur. It is learns user's behavior patterns over time and detects behavior that deviates from these patterns. In this paper has rule-based component that can be used to encode information about known system vulnerabilities and intrusion scenarios. Integrating the two approaches makes Intrusion Detection System a comprehensive system for detecting intrusions as well as misuse by authorized users or Anomaly users (unauthorized users) using RFM analysis methodology and monitoring collect data from sensor Intrusion Detection System(IDS).

• Journal of KIISE:Computing Practices and Letters
• /
• v.10 no.2
• /
• pp.146-155
• /
• 2004

Currently most of commercial operating systems contain a high-level audit feature to increase their own security level. Linux does not fall behind the other commercial operating systems in performance and stability, but Linux does not have a good audit feature. Linux is required to support a higher security feature than C2 level of the TCSEC in order to be used as a server operating system, which requires the kernel-level audit feature that provides the system call auditing feature and audit event. In this paper, we present LxBSM, which is a kernel module to provide the kernel-level audit features. The audit record format of LxBSM is compatible with that of Sunshield BSM. The LxBSM is implemented as a loadable kernel module, so it has the enhanced usability. It provides the rich audit records including the user-level audit events such as login/logout. It supports both the pipe and file interface for increasing the connectivity between LxBSM and intrusion detection systems (IDS). The performance of LxBSM is compared and evaluated with that of Linux kernel without the audit features. The response time was increased when the system calls were called to create the audit data, such as fork, execve, open, and close. However any other performance degradation was not observed.

• Asia-pacific Journal of Multimedia Services Convergent with Art, Humanities, and Sociology
• /
• v.8 no.5
• /
• pp.303-314
• /
• 2018

In the past few years, government agencies and corporations have succumbed to stealthy, tailored cyberattacks designed to exploit vulnerabilities, disrupt operations and steal valuable information. Security Information and Event Management (SIEM) is useful tool for cyberattacks. SIEM solutions are available in the market but they are too expensive and difficult to use. Then we implemented basic SIEM functions to research and development for future security solutions. We focus on collection, aggregation and analysis of real-time logs from host. This tool allows parsing and search of log data for forensics. Beyond just log management it uses intrusion detection and prioritize of security events inform and support alerting to user. We select Elastic Stack to process and visualization of these security informations. Elastic Stack is a very useful tool for finding information from large data, identifying correlations and creating rich visualizations for monitoring. We suggested using vulnerability check results on our SIEM. We have attacked to the host and got real time user activity for monitoring, alerting and security auditing based this security information management.