Advertisement

Spotting Intrusion Scenarios from Firewall Logs Through a Case-Based Reasoning Approach

  • Fábio Elias Locatelli
  • Luciano Paschoal Gaspary
  • Cristina Melchiors
  • Samir Lohmann
  • Fabiane Dillenburg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3278)

Abstract

Despite neglected by most security managers due to the low availability of tools, the content analysis of firewall logs is fundamental (a) to measure and identify accesses to external and private networks, (b) to access the historical growth of accesses volume and applications used, (c) to debug problems on the configuration of filtering rules and (d) to recognize suspicious event sequences that indicate strategies used by intruders in attempt to obtain non-authorized access to stations and services. This paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique, from the Artificial Intelligence field, to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated along one week by the university firewall.

Keywords

Intrusion Detection Intrusion Detection System Security Manager Suspicious Activity Suspicious Behavior 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Esmaili, M., et al.: Case-Based Reasoning for Intrusion Detection. In: Computer Security Applications Conference, pp. 214–223 (1996)Google Scholar
  3. 3.
    Kolodner, J.: Case-Based Reasoning. Morgan Kaufmann, San Francisco (1993)CrossRefzbMATHGoogle Scholar
  4. 4.
    Ning, P., Cui, Y., Reeves, D.: Analyzing Intensive Intrusion Alerts via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Schwartz, D., Stoecklin, S., Yilmaz, E.: A Case-Based Approach to Network Intrusion Detection. In: Internacional Conference on Information Fusion, pp. 1084–1089 (2002)Google Scholar
  7. 7.
    Symantec, Symantec Enterprise Firewall, Symantec Enterprise VPN, and Veloci-Raptor Firewall Appliance Reference Guide. Symantec (2001)Google Scholar
  8. 8.
    Symantec, Symantec Security Response (2003)Google Scholar
  9. 9.
    Yegneswaran, V., Barford, P., Ulrich, J.: Internet Intrusions: Global Characteristics and Prevalence. ACM SIGMETRICS Performance Evaluation Review 31(1), 138–147 (2003)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2004

Authors and Affiliations

  • Fábio Elias Locatelli
    • 1
  • Luciano Paschoal Gaspary
    • 1
  • Cristina Melchiors
    • 1
  • Samir Lohmann
    • 1
  • Fabiane Dillenburg
    • 1
  1. 1.Programa Interdisciplicar de Pós-Graduação em Computação Aplicada (PIPCA)Universidade do Vale do Rio dos Sinos (UNISINOS)São LeopoldoBrazil

Personalised recommendations