well NNs are not suitable due to necessity to define its input factors. This may be very complicated with many network elements and various devices for each. learning process also takes some time and if I have a look at my log server 10gigs per month is not really an easy chunk to chew.. patern or behavior based systems are a great idea (I hope I find some free time to test it here as well), but it doesn't make sense for companies with many employees (fx right now there's the football-fan traffic anomaly that no IDS can predict so easily :) But my solution that I'm working on is a centralized log analyzer based on expert systems and that metalog thingy.. you don't need to have unified log you just need to know what's going on and where.. you have several processing facilities (fx. one syslog, one fw, one eventlog etc..), and you have a information flow map which tells you what may be the next step. this way you can see that there's anomaly on the router, next on the fw, next on the server and then application crashed... the metalog tells you that there's a problem with router, fw,server and app.. if you need more detailed data you just check each log for that system.. Mario Maawad Marcos [mmaawadat_private]: you can find help on jobserve.com (the tool is called a contractor. It costs a lot of money but it creates a system that best fits your needs :) but be careful.. not all of them are usefull.. lubo -----Ursprüngliche Nachricht----- Von: H C [mailto:keydet89at_private] Gesendet: Freitag, 21. Juni 2002 15:07 An: Stefano Zanero; loganalysisat_private; Marcus J. Ranum Betreff: Re: [logs] Logs & the great unification theory > Just to see if they are fit to this purpose :-) From my experience w/ NN's (grad school), if factors can be defined, then they'd make an excellent solution. Just an FYI...when I worked for SAIC, there was a product called CMDS. It used an "expert system" developed at NASA to perform network event anomoly detection. Basically, from the description, a neural network could "learn" what normal activity looked like...by user or by IP address. As the system learned, the thresholds could be tightened to the point where...theoretically...false positives could be reduced to almost nil. SAIC is/was a service company, not a product company, and sold CMDS to ODS networks. It looks as if a lot of changes have gone on since '99, but it looks as if the current incarnation of these products can be found here: http://www.intrusion.com Also...as a side note...does anyone have any experience with CyberWolf? http://www.cyberwolftech.com/ carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 08:52:08 PDT