On Thu, Aug 19, 2004 at 03:41:03PM -0400, John Reuning wrote: > While we're on the subject of anomaly detection, I recently finished a > paper on using term weights to flag log messages as anomalies. It's not > earth-shattering, and the approach is simplistic, but I've posted the > pdf online. The main goal was to see how well a very simple term weight > approach works. The experiment doesn't consider some of the more > complex (and realistic) metrics, such as time sequencing or event > correlation. And the audience was somewhat broader than the log > analysis specialists on the list. :) > > Applying Term Weight Techniques to Event Log Analysis for Intrusion > Detection. > http://www.ibiblio.org/john/pubs/johnreuning_sils_unc.pdf Would you have your perl script available without extracting it from the paper? I've experimented with automatically generating regexes for the "normal" cases with SLCT (http://kodu.neti.ee/~risto/slct/) and it might be possible to apply your technique to the "cleaned" logs. Jost -- | Jost.Krieger+sig@ruhr-uni-bochum.de Please help stamp out spam! | | Postmaster, JAPH, resident answer machine at RUB Comp. Center | | Sincere words are not sweet, sweet words are not sincere. | | Lao Tse, Tao Te King 81 |
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 25 2004 - 09:20:34 PDT