ISU Electrical and Computer Engineering Archives

A Modular Architecture for Security Tools

Openshaw, Pascal (2005) A Modular Architecture for Security Tools. Masters thesis, Iowa State University.

Full text available as:

PDF - Requires Adobe Acrobat Reader or other PDF viewer.

Abstract

Desktop computer security is a growing problem with the many viruses, network attacks, trojans, and other malicious programs that can affect a system. Trying to track down what has happened on a computer, remove problems, and prevent future intrusions can be very problematic. The solution proposed in this thesis is to have a modular architecture for critical events (MAST). MAST consists of three components: A database containing alerts from expert tools, patches to these tools, and configuration frontends for the tools. The expert tools are responsible for analyzing the data from their realm of expertise and reporting only the important events that are detected. Instead of reporting to log files or elsewhere, the programs must be patched so that they report to the MAST database. Once the patch is developed, the information entered into the MAST database can be examined by the security administrator. Current security tools include antivirus, network monitoring, firewalls, file integrity checks, log analyzers, application profiles, rootkit detection, port scanning, and so on. The first four of these are examined as case studies for the sake of integration with MAST. The applications most suited to quality analysis and decent integration were found to be ClamAV, Snort, IPTables, and Samhain. The adaptation of each program as a security module happens in two steps. The program has to be configured from a central location for ease of use which means the development of a Webmin module for configuration. The other step is a program patch for reporting critical events. Both of these put together make a security tool ready for integration into MAST. The MAST project holds great potential for the integration of many different security tools. Writing the modules for each of these tools may take some time but will help security become that much easier to handle for all security administrators. The ease of creating additional modules may even encourage the development of different and better tools that can fit into the larger framework.

EPrint Type:Thesis (Masters)
Uncontrolled Keywords:Intrusion detection, event correlation, security tools
Subjects:Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Computer Networking and Security
ID Code:145
Identification Number:TR-2005-04-5
Deposited By:Pascal Openshaw
Deposited On:20 April 2005

Archive Staff Only: edit this record