[logs] Logs & the great unification theory

From: Stefano Zanero (stefano.zaneroat_private)
Date: Thu Jun 20 2002 - 06:03:38 PDT

Next message: Mario Maawad Marcos: "Re: [logs] tools"

Previous message: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Next in thread: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Reply: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Reply: Marcus J. Ranum: "Re: [logs] Logs & the great unification theory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good afternoon (or whatever) everyone,

I need to excuse myself if my first post on this list will have a sort of
"Life, the Universe and Everything" approach, but reading the last few days
of posting and discussing briefly with Tina, you are just about the right
audience for asking my questions.

I'm currently working around an academic project to evaluate how and if
neural network (NN) systems can be used as outlyer detectors on system logs,
to spot potential security breaches or anomalies.

Some fixed points in my approach are, currently:
1) avoid trying to compete with rule-based or signature-based systems (so
called "misuse detection") on their ground: if an attack can be described
with a signature, it should be looked for with a signature-based system, not
an NN

2) trying to develop an approach as general as possible, keeping my
opportunities open until prototype development really begins

3) the chosen approach, for those with experience with neural algorithms, is
unsupervised learning, but this could change if we feel that supervised
learning is appropriate and feasible.

I was thus reading with great interest your posts about log "normalization",
but I think that either I missed the beginning of the discussion or you
didn't discuss an important point:
WHAT DOES REALLY MATTER to be analyzed.

A NN-based algorithm has serious performance issues to consider, and the
input to feed into it should be as compact and also with as few "fields" as
possible. In addition, these fields should allow me to easily manipulate
them, and to convert them in numeric value with an adequate mapping (to be
studied, this is in fact the core problem of the whole work).

So, my questions are:
- WHAT should be analyzed ?
- HOW do you suggest to structure the "normalized" format of logs extracted
from various sources
- IF and HOW you suggest to integrate this log with the results from a
network sniffer directly observing raw packets on the network

I will gladly hear any input and if I was unclear in my message, please
expose any questions or doubt.

Just a warning - I will be giving a lecture over the weekend so I could
delay of one or two days my answers - please don't get pissed of :P

Stefano


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Mario Maawad Marcos: "Re: [logs] tools"
Previous message: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Next in thread: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Reply: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Reply: Marcus J. Ranum: "Re: [logs] Logs & the great unification theory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 08:19:20 PDT