{"title":"使用事件日志对窗口进行持续修复","authors":"James C. Reynolds, L. Clough","doi":"10.1145/1036921.1036932","DOIUrl":null,"url":null,"abstract":"There is good reason to base intrusion detection on data from the host. Unfortunately, most operating systems do not provide all the data needed in readily available logs. Ironically, perhaps, Window NT and its successor, Windows 2000, provide much of the necessary data, at least for security events. We have developed a host-based intrusion detector for these platforms that meets the generally accepted criteria for a good Intrusion Detection System. Its architecture is sufficiently flexible to meet these criteria largely by relying on native mechanisms. Where there are identified gaps in the data from the native security event log, they can be filled by data from other sensors by using the same event-logging interface. The IDS will also terminate unauthorized processes, delete unauthorized files, and restore deleted or modified files continually without lengthy recovery due to compromise. We call this feature Continual Repair. It is an existence proof that self-regenerative systems are possible.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Continual repair for windows using the event log\",\"authors\":\"James C. Reynolds, L. Clough\",\"doi\":\"10.1145/1036921.1036932\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"There is good reason to base intrusion detection on data from the host. Unfortunately, most operating systems do not provide all the data needed in readily available logs. Ironically, perhaps, Window NT and its successor, Windows 2000, provide much of the necessary data, at least for security events. We have developed a host-based intrusion detector for these platforms that meets the generally accepted criteria for a good Intrusion Detection System. Its architecture is sufficiently flexible to meet these criteria largely by relying on native mechanisms. Where there are identified gaps in the data from the native security event log, they can be filled by data from other sensors by using the same event-logging interface. The IDS will also terminate unauthorized processes, delete unauthorized files, and restore deleted or modified files continually without lengthy recovery due to compromise. We call this feature Continual Repair. It is an existence proof that self-regenerative systems are possible.\",\"PeriodicalId\":414343,\"journal\":{\"name\":\"SSRS '03\",\"volume\":\"57 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2003-10-31\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"SSRS '03\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1036921.1036932\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"SSRS '03","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1036921.1036932","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
There is good reason to base intrusion detection on data from the host. Unfortunately, most operating systems do not provide all the data needed in readily available logs. Ironically, perhaps, Window NT and its successor, Windows 2000, provide much of the necessary data, at least for security events. We have developed a host-based intrusion detector for these platforms that meets the generally accepted criteria for a good Intrusion Detection System. Its architecture is sufficiently flexible to meet these criteria largely by relying on native mechanisms. Where there are identified gaps in the data from the native security event log, they can be filled by data from other sensors by using the same event-logging interface. The IDS will also terminate unauthorized processes, delete unauthorized files, and restore deleted or modified files continually without lengthy recovery due to compromise. We call this feature Continual Repair. It is an existence proof that self-regenerative systems are possible.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
