Title :
A distance-based method to detect anomalous attributes in log files
Author :
Hommes, Stefan ; State, Radu ; Engel, Thomas
Author_Institution :
SnT, Univ. of Luxembourg, Luxembourg, Luxembourg
Abstract :
Dealing with large volumes of logs is like the proverbial needle in the haystack problem. Finding relevant events that might be associated with an incident, or real time analysis of operational logs is extremely difficult when the underlying data volume is huge and when no explicit misuse model exists. While domain-specific knowledge and human expertise may be useful in analysing log data, automated approaches for detecting anomalies and track incidents are the only viable solutions when confronted with large volumes of data. In this paper we address the issue of automated log analysis and consider more specifically the case of ISP-provided firewall logs. We leverage approaches derived from statistical process control and information theory in order to track potential incidents and detect suspicious network activity.
Keywords :
computer network security; data analysis; information theory; statistical process control; system monitoring; ISP-provided firewall logs; anomalous attribute detection; automated log analysis; data volume; distance-based method; domain-specific knowledge; haystack problem; human expertise; information theory; log data analysis; operational logs; proverbial needle; real time analysis; statistical process control; suspicious network activity detection; Control charts; Correlation; Humans; IP networks; Process control; Protocols; Real time systems;
Conference_Titel :
Network Operations and Management Symposium (NOMS), 2012 IEEE
Conference_Location :
Maui, HI
Print_ISBN :
978-1-4673-0267-8
Electronic_ISBN :
1542-1201
DOI :
10.1109/NOMS.2012.6211940
