Filtering events using clustering in heterogeneous security logs

被引：12

作者：

Asif-Iqbal H. ^{[1
]}

Udzir N.I. ^{[1
]}

Mahmod R. ^{[1
]}

Abd.Ghani A.A. ^{[1
]}

机构：

[1] Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Selangor Darul Ehsan

来源：

Information Technology Journal | 2011年 / 10卷 / 04期

关键词：

Event filtering; False; False positive rate; Heterogeneous log parsing; Multi-level clustering;

D O I：

10.3923/itj.2011.798.806

中图分类号：

学科分类号：

摘要：

Log files are rich sources of information exhibiting the actions performed during the usage of a computer system in our daily work. In this study we concentrate on parsing/isolating logs from different sources and then clustering the logs using data mining tool (Weka) to filter the unwanted entries in the logs which will greatly help in correlating the events from different logs. Unfortunately parsing heterogeneous logs to extract the attribute values becomes tedious, since every type of log is stored in a proprietary format. We propose a framework that has the ability to parse and isolate a variety of logs, followed by clustering the logs to identify and remove unneeded entries. Experiments involving a range of logs, reveals the fact that clustering has the capacity to group log entries with a higher degree of accuracy, thereby assisting to identify correctly the entries to be removed. © 2011 Asian Network for Scientific Information.

引用

页码：798 / 806

页数：8

共 30 条

[1]

Abad C., Taylor J., Sengul C., Yurick W., Zhou Y., Rowe K.E., Log correlation for intrusion detection: A proof of concept, Proceedings of the 19th Annual Computer Security Applications Conference, pp. 255-265, (2003)

[2]

Barse E.L., Jonsson E., Extracting attack manifestations to determine log data requirements for intrusion detection, Proceedings - Annual Computer Security Applications Conference, ACSAC, pp. 158-167, (2004)

[3]

Chandola V., Banerjee A., Kumar V., Anomaly detection: A survey, ACM Computing Survey, 41, pp. 58-58, (2009)

[4]

Chimphlee W., Abdullah A.H., Sap M.N.M., Chimphlee S., Srinoy S., Unsupervised clustering methods for identifying rare events in anomaly detection, Proceedings of the 6th International Enformatika Conference, pp. 26-28, (2005)

[5]

Chuvakin A., Public Security Log Sharing Site, (2009)

[6]

Forte D.V., The 'ART' of log correlation: Part 1: Tools and techniques for correlating events and log files, Computer Fraud and Security, 2004, 6, pp. 7-11, (2004)

[7]

Fredrikson M., Christodorescu M., Giffin J., Jhas S., A declarative framework for intrusion analysis, Adv. Inform. Security, 46, pp. 179-200, (2010)

[8]

Gogoi P., Borah B., Bhattacharyya D.K., Anomaly detection analysis of intrusion data using supervised and unsupervised approach, J. Convergence Inform. Technol., 5, pp. 95-110, (2010)

[9]

Herrerias J., Gomez R., A log correlation model to support the evidence search process in a forensic investigation, Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 31-42, (2007)

[10]

Jain A.K., Data clustering: 50 years beyond K-means, Pattern Recognition Lett., 31, pp. 651-666, (2010)

← 1 2 3 →