Log correlation for intrusion detection: a proof of concept

Author

Abad, Cristina ; Taylor, Jed ; Sengul, Cigdem ; Yurcik, William ; Zhou, Yuanyuan ; Rowe, Ken

Author_Institution

Dept. of Comput. Sci., Illinois Univ., Urbana, IL, USA

fYear

2003

fDate

8-12 Dec. 2003

Firstpage

255

Lastpage

264

Abstract

Intrusion detection is an important part of networked-systems security protection. Although commercial products exist, finding intrusions has proven to be a difficult task with limitations under current techniques. Therefore, improved techniques are needed. We argue the need for correlating data among different logs to improve intrusion detection systems accuracy. We show how different attacks are reflected in different logs and argue that some attacks are not evident when a single log is analyzed. We present experimental results using anomaly detection for the virus Yaha. Through the use of data mining tools (RIPPER) and correlation among logs we improve the effectiveness of an intrusion detection system while reducing false positives.

Keywords

computer viruses; data integrity; data mining; safety systems; telecommunication security; RIPPER data mining tool; Yaha virus; anomaly detection; data correlation; intrusion detection; log correlation; networked-systems security protection; Application software; Computer science; Computer security; Data mining; Data security; Internet; Intrusion detection; Monitoring; National security; Protection;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2003. Proceedings. 19th Annual

Print_ISBN

0-7695-2041-3

Type

conf

DOI

10.1109/CSAC.2003.1254330

Filename

1254330