On Wed, 2004-08-25 at 12:18, Jost Krieger wrote: > > Applying Term Weight Techniques to Event Log Analysis for Intrusion > > Detection. > > http://www.ibiblio.org/john/pubs/johnreuning_sils_unc.pdf > > I've experimented with automatically generating regexes for the "normal" > cases with SLCT (http://kodu.neti.ee/~risto/slct/) and it might be possible > to apply your technique to the "cleaned" logs. Something that should improve the accuracy of a term weight approach that I didn't have time to implement in the original statlog version is relevance feedback. This would mean taking a log message that is known to be either benign or intrusion-related and feeding it back into the system. The term weights would be artificially adjusted in one direction or the other. That weight adjustment would then affect how new log messages are classified. Spamassassin, for example, has this feature in sa-learn. You can give it known spam or non-spam messages and have it retrain the system slightly to improve the accuracy of the spam detection. Thanks, -jrr _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Sep 09 2004 - 11:00:30 PDT