Spotting Intrusion Scenarios from Firewall Logs Through a Case-Based Reasoning Approach
Despite neglected by most security managers due to the low availability of tools, the content analysis of firewall logs is fundamental (a) to measure and identify accesses to external and private networks, (b) to access the historical growth of accesses volume and applications used, (c) to debug problems on the configuration of filtering rules and (d) to recognize suspicious event sequences that indicate strategies used by intruders in attempt to obtain non-authorized access to stations and services. This paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique, from the Artificial Intelligence field, to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated along one week by the university firewall.
KeywordsIntrusion Detection Intrusion Detection System Security Manager Suspicious Activity Suspicious Behavior
- 2.Esmaili, M., et al.: Case-Based Reasoning for Intrusion Detection. In: Computer Security Applications Conference, pp. 214–223 (1996)Google Scholar
- 6.Schwartz, D., Stoecklin, S., Yilmaz, E.: A Case-Based Approach to Network Intrusion Detection. In: Internacional Conference on Information Fusion, pp. 1084–1089 (2002)Google Scholar
- 7.Symantec, Symantec Enterprise Firewall, Symantec Enterprise VPN, and Veloci-Raptor Firewall Appliance Reference Guide. Symantec (2001)Google Scholar
- 8.Symantec, Symantec Security Response (2003)Google Scholar