Re: [logs] Term weights and log analysis

From: John Reuning (john@private)
Date: Thu Sep 09 2004 - 07:22:04 PDT

On Wed, 2004-08-25 at 12:18, Jost Krieger wrote:

> > Applying Term Weight Techniques to Event Log Analysis for Intrusion
> > Detection.
> >
> I've experimented with automatically generating regexes for the "normal"
> cases with SLCT ( and it might be possible
> to apply your technique to the "cleaned" logs.

Something that should improve the accuracy of a term weight approach
that I didn't have time to implement in the original statlog version is
relevance feedback.  This would mean taking a log message that is known
to be either benign or intrusion-related and feeding it back into the
system.  The term weights would be artificially adjusted in one
direction or the other.  That weight adjustment would then affect how
new log messages are classified.

Spamassassin, for example, has this feature in sa-learn.  You can give
it known spam or non-spam messages and have it retrain the system
slightly to improve the accuracy of the spam detection.


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Sep 09 2004 - 11:00:30 PDT