This is a description of the ASAX (Advanced Security audit trail Analysis on uniX) system. There exist now two versions of ASAX: a single host audit trail analysis version and a distributed audit trail analysis version. I describe here the features of each version. 1. SINGLE HOST AUDIT TRAIL ANALYSIS Universality: ------------- Is addressed thanks to the normalized audit file format (NADF). This NADF format is universal in the sense that we believe that all existing (and future) audit trails can be translated into it in a sufficiently straightforward way. Audit trail analysis is performed on normalized audit trails only. In addition, so-called Format Adaptors will be provided to translate native audit trails into normalized format. We have so far developed Format Adaptors for SunOS 4.1.1, BS2000 and SINIX. A generic Format Adaptor is under study. Power: ------ Is provided by the language RUSSEL (RUle-baSed and Sequence Evaluation Language) allowing to express complex selection criteria dealing with arbitrary long sequences of records but also allowing to sequentially process the file *from left to right*. This last feature is of course mandatory to ensure efficiency as the amount of data to be processed is very huge. The basic principle is that the information about the past will be stored in a set of active evaluation rules that will be used to analyse the next audit record. Those rules will also possibly trigger off new rules for the analysis of the rest. RUSSEL is tailor-made to audit trail analysis problem. Efficiency: ---------- Is achieved on the one hand by the very principle of the rule-based language allowing to process each record only once and, on the other hand, by efficient implementation techniques. In addition, ASAX is an on-line system. 2. DISTRIBUTED AUDIT TRAIL ANALYSIS This system is a distributed on-line system capable of performing efficient, intelligent and network-level analysis of security audit trails in a network of SUN workstations. The distributed system is in fact an extension of the SINGLE HOSTS AUDIT TRAIL ANALYSIS system outlined above. At the network level, the system consists of one central or master machine and one or more slave machines. Slave machines analyze their local audit trails and send the filtered audit records to the master machine which then performs a more intelligent analysis. The filtering of audit data at each node have all of the features of the HOSTS AUDIT TRAIL ANALYSIS. AVAILABILITY: ------------- These two systems are prototype versions. At present, only the HOSTS AUDIT TRAIL ANALYSIS is publically available from the following sites: ftp.info.fundp.ac.be:/pub/projects/asax ftp://ftp.info.fundp.ac.be/pub/projects/asax ftp://www.info.fundp.ac.be/~amo ftp://coast.cs.purdue.edu/pub/tools/unix/asax All reports and conference papers are included in the above archives. (See FILES AND DIRECTORIES section of the Readme file.) I am now using the idea behind Kuang (part of COPS) to make ASAX assess the file protection of security sensitive files ON-LINE. As soon as a vulnerability is found, it is reported (obvious) AND rules are triggered automatically to watch for attacks exploiting them. This makes the system predictive. Furtheremore, we are developping a (rule-based) language to express how file protections can be exploited. In Kuang, these rules were hard-coded. Collaboration is welcome. Aziz- --------------------------+------------------------------------- | Abdelaziz Mounji | amo@info.fundp.ac.be | | ASAX project | http://www.info.fundp.ac.be/~amo | | Institut d'Informatique | voice: +32 81 724987 | | University of Namur | Fax : +32 81 724967 | ----------------------------------------------------------------