Abstract
Recent work has shown that conventional operating system audit trails are insufficient to detect low-level network attacks. Because audit are typically based upon system calls or application sources, operations in the network protocol stack go unaudited. In our earlier work, we determined the audit data needed to detect low-level network attacks. in this paper we describe an implementation of an audit system which collects this data and analyze th issues that guided th implementation. Finally, we report the performance impact on th systm and the rat of audit data accumulation in a test network.