The Detectability of Attacks in NT Audit Logs

Windows NT hosts are essential components of the computing environment in many government agencies. Despite the growing importance of NT hosts, researchers are only beginning to develop intrusion detection systems that use NT audit data. As part of the Lincoln Laboratory 2000 Development/Evaluation effort, we have performed analyses designed to make it easier for researchers to extend their existing systems to process NT audit data and begin detecting NT attacks.

The following process was performed for each of the twelve NT attacks used in the 1999 evaluation, with auditting setup just as it was during the 1999 evalation:

1. Clear the audit logs on the victim machine (172.16.112.100)
2. Run the attack against the machine with no background traffic
3. Immediately save the audit logs

The audit logs were then examined in an attempt to determine an audit log signature for each attack.

  • The Application Log and System Log showed no evidence of any of the attacks.
  • Ten of the twelve attacks left useful evidence in the Security Log.
  • PPMacro and Framespoofer left no useful evidence in any of the audit logs.

The audit log signatures that were chosen for the other ten attacks are described in the "Attack signature" section of the attack descriptions. This information can be used to create signatures to detect the 1999 attacks.

To test the quality of the determined signatures, an example PERL script named NTaudit-detect.pl was written. It uses the signatures derived from the attack data base to scan for Windows NT attacks in NT audit log data. The script processes comma-separated text versions of the audit logs. These are created by using the NT event viewer to save the original event logs as comma-delimited text files.

The results of running the ntaudit-detect.pl PERL script on the 1999 test data are shown below. Note that this is not an official set of results and that the results are overly optimistic because the test data was used twice, both to develop signatures and for testing.

As can be seen, 24 of the 29 attacks that occurred during periods where NT audit records were available were detected and only 9 false alarms were generated. This good result, and the relatively simple nature of the signatures, demonstrates that the NT audit records collected in 1999 contain much useful information concerning the 1999 NT attacks. This information, however, needs to be supplemented to detect the two attack types that were missed (PPMacro and Framespoofer) and other attacks where information on file and registry access is important. Further experiments are planned in 2000 to provide this type of extended NT audit information where auditing for all files and the registry is enabled.

The results of the script are shown in the following table. Each row of this table represents on instance of an attack, as it occurred in Weeks 4 or 5 of the 1999 Test Data. For each attack instance the following information is given:

  • IDnum - The instance ID number. The format is: wd.hhmmss, so 41.084031 would indicate Week 4, Day 1(Monday), 08:40:31. This is *roughly* when the attack was schduled to begin - however in the course of simulation, the actual time (not date) might have changed.
  • Name - The common name of this attack
  • Stealthy/Clear - Was the attack instance considered Stealthy or Clear
  • New/Old - was this attack considered New or Old with regard to the 1999 Evaluation
  • Category - the major category into which this attack is classified (prepended with ll)
  • VictimOS - the operating system or platform that fell victim in this instance.
  • Detected - was this attack detected in Audit Logs by Detect.pl
  • Identified - was this attack correctly identified by Detect.pl
  • Total False Alarms - total number of times Detect.pl false alarmed for the attack

For further information on the attack instances, follow the attack id number link to a listfile like list of sessions and time-periods during which the attack was carried out.

Documentation of the audit signatures can be found in the attack descriptions.

IDnum Name Stealthy/
Clear		 New/
Old		 Category Victim OS Detected Total
False
Alarms
All All Attacks
-
 - - 11NT 24 of 29
9
41.090000 ntfsdos
Clr
 New llDATA-llU2R- llNT
1
0
41.155048 yaga
Clr
 New llU2R llNT
1
0
41.161308 crashiis-yaga
Clr
 Old llDOS llNT
0
7
42.120000 ntfsdos
Clr
 New llDATA-llU2R- llNT
1
0
42.143228 sechole
Clr
 New llU2R llNT
1
0
42.210410 crashiis
Clr
 Old llDOS llNT
1
7
43.100000 ppmacro
Clr
 New llDATA-llR2L- llNT
0
0
43.110000 netcat
Clr
 New llR2L llNT
1
0
44.080000 ntinfoscan
Clr
 Old llPROBE llNT
1
2
44.083000 netbus
Clr
 New llR2L llNT
1
0
44.110000 dosnuke
Clr
 New llDOS llNT
1
0
44.120500 ppmacro
Clr
 New llDATA-llR2L- llNT
0
0
45.165009

sechole

Clr
 New llU2R llNT
1
0
51.114500 dosnuke
Clr
 New llDOS llNT
1
0

51.183623

 crashiis
Clr
 Old llDOS llNT
1
7
51.194715 dosnuke
Clr
 New llDOS llNT
1
52.085357 casesen
Clr
 New llU2R llNT
1
0
52.135003 crashiis
Clr
 Old llDOS llNT
1
7
52.140207 ppmacro
Clr
 New llR2L llNT
0
0
52.205605 dosnuke
Clr
 New llDOS llNT
1
0
53.094800 netbus
Clr
 New llR2L llNT
1
0
53.110500 netcat
Clr
 New llR2L llNT
1
0
54.091200 casesen
Clr
 New llU2R llNT
1
0
54.102102 ntfsdos
Clr
 New llDATA llNT
1
0
54.110416 ntinfoscan
Clr
 Old llPROBE llNT
1
2
54.115000 yaga
Clr
 New llU2R llNT
1
0
54.115701 crashiis-yaga
Clr
 Old llDOS llNT
0
7
54.160341 sechole
Clr
 New llU2R llNT
1
0
54.183002 ntinfoscan
Clr
 Old llPROBE llNT
1
2
Audit logs for 5-5 were not collected properly
55.081418 crashiis
Clr
 Old llDOS llNT
-
-
55.085514 netcat
Clr
 New llR2L llNT
-
-
55.100600 anypw
Clr
 New llU2R llNT
-
-
55.110800 framespoofer
Clr
 New llR2L llNT
-
-
55.124400 yaga
Clr
 New llU2R llNT
-
-
55.125112 crashiis
Clr
 Old llDOS llNT
-
-
55.125830 crashiis
Clr
 Old llDOS llNT
-
-
55.204925 casesen
Clr
 New llU2R llNT
-
-

 

top of page