Abstract
Despite neglected by most security managers due to the low availability of tools, the content analysis of firewall logs is fundamental (a) to measure and identify accesses to external and private networks, (b) to access the historical growth of accesses volume and applications used, (c) to debug problems on the configuration of filtering rules and (d) to recognize suspicious event sequences that indicate strategies used by intruders in attempt to obtain non-authorized access to stations and services. This paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique, from the Artificial Intelligence field, to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated along one week by the university firewall.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)
Esmaili, M., et al.: Case-Based Reasoning for Intrusion Detection. In: Computer Security Applications Conference, pp. 214–223 (1996)
Kolodner, J.: Case-Based Reasoning. Morgan Kaufmann, San Francisco (1993)
Ning, P., Cui, Y., Reeves, D.: Analyzing Intensive Intrusion Alerts via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)
Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)
Schwartz, D., Stoecklin, S., Yilmaz, E.: A Case-Based Approach to Network Intrusion Detection. In: Internacional Conference on Information Fusion, pp. 1084–1089 (2002)
Symantec, Symantec Enterprise Firewall, Symantec Enterprise VPN, and Veloci-Raptor Firewall Appliance Reference Guide. Symantec (2001)
Symantec, Symantec Security Response (2003)
Yegneswaran, V., Barford, P., Ulrich, J.: Internet Intrusions: Global Characteristics and Prevalence. ACM SIGMETRICS Performance Evaluation Review 31(1), 138–147 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 IFIP International Federation for Information Processing
About this paper
Cite this paper
Locatelli, F.E., Gaspary, L.P., Melchiors, C., Lohmann, S., Dillenburg, F. (2004). Spotting Intrusion Scenarios from Firewall Logs Through a Case-Based Reasoning Approach. In: Sahai, A., Wu, F. (eds) Utility Computing. DSOM 2004. Lecture Notes in Computer Science, vol 3278. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30184-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-30184-4_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23631-3
Online ISBN: 978-3-540-30184-4
eBook Packages: Springer Book Archive