A distance-based method to detect anomalous attributes in log files

Author

Hommes, Stefan ; State, Radu ; Engel, Thomas

Author_Institution

SnT, Univ. of Luxembourg, Luxembourg, Luxembourg

fYear

2012

fDate

16-20 April 2012

Firstpage

498

Lastpage

501

Abstract

Dealing with large volumes of logs is like the proverbial needle in the haystack problem. Finding relevant events that might be associated with an incident, or real time analysis of operational logs is extremely difficult when the underlying data volume is huge and when no explicit misuse model exists. While domain-specific knowledge and human expertise may be useful in analysing log data, automated approaches for detecting anomalies and track incidents are the only viable solutions when confronted with large volumes of data. In this paper we address the issue of automated log analysis and consider more specifically the case of ISP-provided firewall logs. We leverage approaches derived from statistical process control and information theory in order to track potential incidents and detect suspicious network activity.

Keywords

computer network security; data analysis; information theory; statistical process control; system monitoring; ISP-provided firewall logs; anomalous attribute detection; automated log analysis; data volume; distance-based method; domain-specific knowledge; haystack problem; human expertise; information theory; log data analysis; operational logs; proverbial needle; real time analysis; statistical process control; suspicious network activity detection; Control charts; Correlation; Humans; IP networks; Process control; Protocols; Real time systems;

fLanguage

English

Publisher

ieee

Conference_Titel

Network Operations and Management Symposium (NOMS), 2012 IEEE

Conference_Location

Maui, HI

ISSN

1542-1201

Print_ISBN

978-1-4673-0267-8

Electronic_ISBN

1542-1201

Type

conf

DOI

10.1109/NOMS.2012.6211940

Filename

6211940