Audlib: A Configurable, High-fidelity Application Audit Mechanism

Title:
Audlib: A Configurable, High-fidelity Application Audit Mechanism
Authors:
Kuperman, Benjamin A.; Spafford, Eugene H.
Abstract:
In this paper, we introduce Audlib, an extendable tool for generating security-relevant information on Unix systems. Audlib is a wrapper environment that generates application level audit information from existing executable programs. Audlib is not a detection system, instead it is designed to supplement existing audit systems and work transparently with them. Audlib records information that is not presently available from existing kernel-level audit sources. Here, we describe the design of the Audlib framework and the information it provides. We compare auditing the actions of a web server with Audlib to existing kernel audit sources and show that we have 2-4 times the throughput of Linux auditd and less than half the performance overhead of Solaris BSM while collecting detailed information about the server's execution. Although Audlib is focused on recording security information, this technique can be used to collect data for a wide variety of purposes including profiling, dependency analysis, and debugging. Copyright
Citation:
Kuperman, Benjamin A., and Eugene H. Spafford. 2010. "Audlib: A Configurable, High-fidelity Application Audit Mechanism." Software-practice & Experience 40(11): 989-1005.
Publisher:
John Wiley & Sons
DATE ISSUED:
2010-10
Department:
Computer Science
Type:
article
PUBLISHED VERSION:
10.1002/spe.983
PERMANENT LINK:
http://hdl.handle.net/11282/309979

Full metadata record

DC FieldValue Language
dc.contributor.authorKuperman, Benjamin A.en_US
dc.contributor.authorSpafford, Eugene H.en_US
dc.date.accessioned2013-12-23T16:22:28Z-
dc.date.available2013-12-23T16:22:28Z-
dc.date.issued2010-10en
dc.identifier.citationKuperman, Benjamin A., and Eugene H. Spafford. 2010. "Audlib: A Configurable, High-fidelity Application Audit Mechanism." Software-practice & Experience 40(11): 989-1005.en_US
dc.identifier.issn0038-0644en_US
dc.identifier.urihttp://hdl.handle.net/11282/309979-
dc.description.abstractIn this paper, we introduce Audlib, an extendable tool for generating security-relevant information on Unix systems. Audlib is a wrapper environment that generates application level audit information from existing executable programs. Audlib is not a detection system, instead it is designed to supplement existing audit systems and work transparently with them. Audlib records information that is not presently available from existing kernel-level audit sources. Here, we describe the design of the Audlib framework and the information it provides. We compare auditing the actions of a web server with Audlib to existing kernel audit sources and show that we have 2-4 times the throughput of Linux auditd and less than half the performance overhead of Solaris BSM while collecting detailed information about the server's execution. Although Audlib is focused on recording security information, this technique can be used to collect data for a wide variety of purposes including profiling, dependency analysis, and debugging. Copyrighten_US
dc.language.isoen_USen_US
dc.publisherJohn Wiley & Sonsen_US
dc.identifier.doi10.1002/spe.983-
dc.subject.departmentComputer Scienceen_US
dc.titleAudlib: A Configurable, High-fidelity Application Audit Mechanismen_US
dc.typearticleen_US
dc.identifier.journalSoftware-practice & Experienceen_US
dc.subject.keywordAudit systemsen_US
dc.subject.keywordComputer security monitoringen_US
dc.subject.keywordAttack detectionen_US
dc.subject.keywordIntrusion detectionen_US
dc.subject.keywordMisuse detectionen_US
dc.identifier.volume40en_US
dc.identifier.issue11en_US
dc.identifier.startpage989en_US
All Items in The Five Colleges of Ohio Digital Repository are protected by copyright, with all rights reserved, unless otherwise indicated.