Mutilple Sensor Anomaly Correlation

Tsai, Min-ying

10 January 2012

IDS (Intrusion Detection System) detect intrusions and generate alerts to administrator. With Internet more and more popular, IDS products a lot of alerts make administrators spend much time to analyze to understand the network situation. Many online services record services details on the log, as the same administrators spend much time to analyze logs. IDS suffer from several limitations : amount of alerts, most of the alerts are false positive, certain attacks may not be detected by IDS. To solve limitations of IDS, four alert correlation techniques : alert attributions similarity, predefined attack scenarios, multi-stage approaches, verification to filter positive alerts. Network attack consist of multiple steps, each step may leave evidences on log or detected by IDS. Service logs record normal and abnormal detail behaviors, IDS alerts record single attack step. Alerts and logs first merge into meta-alert and meta-log. Second, we use two features to filter meta-log. Then, correlate meta-alert and filtered meta-log to produce report to administrators.

meta-log filtering

Alert correlation

Log Event Filtering Using Clustering Techniques

Wasfy, Ahmed

January 2009

Large software systems are composed of various different run-time components, partner applications and, processes. When such systems operate they are monitored so that audits can be performed once a failure occurs or when maintenance operations are performed. However, log files are usually sizeable, and require filtering and reduction to be processed efficiently. Furthermore, there is no apparent correspondence of how logged events relate to particular use cases the system may be performing. In this thesis, we have developed a framework that is based on heuristic clustering algorithms to achieve log filtering, log reduction and, log interpretation. More specifically we define the concept of the Event Dependency Graph, and we present event filtering and use case identification techniques, that are based on event clustering. The clustering process groups together all events that relate to a collection of initial significant events that relate to a use case. We refer to these significant events as beacon events. Beacon events can be identified automatically or semiautomatically by examining log event types or event names against event types or event names in the corresponding specification of a use case being considered (e.g. events in sequence diagrams). Furthermore, the user can select other or additional initial clustering conditions based on his or her domain knowledge of the system. The clustering technique can be used in two possible ways. The first is for large logs to be reduced or sliced, with respect to a particular use case so that, operators can better focus their attention to specific events that relate to specific operations. The second is for the determination of active use cases where operators select particular seed events of interest and then examine the resulting reduced logs against events or event types stemming from different alternative known use cases being considered, in order to identify the best match and consequently provide insights on which of these alternative use cases may be running at any given time. The approach has shown very promising results towards the identification of executing use cases among various alternative ones in various runs of the Session Initiation Protocol.

log filtering

root cause analysis

Electrical and Computer Engineering

Log Event Filtering Using Clustering Techniques

Wasfy, Ahmed

January 2009

Large software systems are composed of various different run-time components, partner applications and, processes. When such systems operate they are monitored so that audits can be performed once a failure occurs or when maintenance operations are performed. However, log files are usually sizeable, and require filtering and reduction to be processed efficiently. Furthermore, there is no apparent correspondence of how logged events relate to particular use cases the system may be performing. In this thesis, we have developed a framework that is based on heuristic clustering algorithms to achieve log filtering, log reduction and, log interpretation. More specifically we define the concept of the Event Dependency Graph, and we present event filtering and use case identification techniques, that are based on event clustering. The clustering process groups together all events that relate to a collection of initial significant events that relate to a use case. We refer to these significant events as beacon events. Beacon events can be identified automatically or semiautomatically by examining log event types or event names against event types or event names in the corresponding specification of a use case being considered (e.g. events in sequence diagrams). Furthermore, the user can select other or additional initial clustering conditions based on his or her domain knowledge of the system. The clustering technique can be used in two possible ways. The first is for large logs to be reduced or sliced, with respect to a particular use case so that, operators can better focus their attention to specific events that relate to specific operations. The second is for the determination of active use cases where operators select particular seed events of interest and then examine the resulting reduced logs against events or event types stemming from different alternative known use cases being considered, in order to identify the best match and consequently provide insights on which of these alternative use cases may be running at any given time. The approach has shown very promising results towards the identification of executing use cases among various alternative ones in various runs of the Session Initiation Protocol.

log filtering

root cause analysis

Electrical and Computer Engineering