Applying Information Retrieval Techniques to Event Log Analysis for Intrusion Detection Export

@misc{citeulike:102024, abstract = {This paper explores the application of probabilistic information retrieval theories to the field of log analysis and host-based intrusion detection. Strong similarities exist between intrusion detection and information retrieval. Using information retrieval techniques may yield significant improvements to the performance of intrusion detection systems. This paper provides a brief review of current relevant research in intrusion detection and log analysis, introduces information retrieval methods appropriate for intrusion detection, and proposes a framework for an experimental log analysis system. The proposed system is based on Bayesian probability theory and uses a term frequency-inverse document frequency (TF-IDF) measure to identify anomalies.}, author = {Reuning, John}, citeulike-article-id = {102024}, citeulike-linkout-0 = {http://www.ibiblio.org/john/pubs/}, citeulike-linkout-1 = {http://www.ibiblio.org/john/pubs/pubs/john_reuning_gsec.pdf}, comment = {Good article, has a bit of an overview on anomaly detection software. This is basically data mining meets syslog -- use a distance measure based on word frequency in syslog messages; higher distance == more rare.}, day = {8}, institution = {SANS Institute}, keywords = {administration, analysis, anomaly, bayes, detection, logging, probability, syslog, systems, unix}, month = {January}, posted-at = {2005-02-23 20:38:27}, priority = {0}, title = {Applying Information Retrieval Techniques to Event Log Analysis for Intrusion Detection}, url = {http://www.ibiblio.org/john/pubs/}, year = {2004} }

TY - GEN ID - citeulike:102024 L3 - citeulike-article-id:102024 N2 - This paper explores the application of probabilistic information retrieval theories to the field of log analysis and host-based intrusion detection. Strong similarities exist between intrusion detection and information retrieval. Using information retrieval techniques may yield significant improvements to the performance of intrusion detection systems. This paper provides a brief review of current relevant research in intrusion detection and log analysis, introduces information retrieval methods appropriate for intrusion detection, and proposes a framework for an experimental log analysis system. The proposed system is based on Bayesian probability theory and uses a term frequency-inverse document frequency (TF-IDF) measure to identify anomalies. TI - Applying Information Retrieval Techniques to Event Log Analysis for Intrusion Detection KW - administration KW - analysis KW - anomaly KW - bayes KW - detection KW - logging KW - probability KW - syslog KW - systems KW - unix N1 - Good article, has a bit of an overview on anomaly detection software. This is basically data mining meets syslog -- use a distance measure based on word frequency in syslog messages; higher distance == more rare. AU - Reuning, John PY - 2004/01/08/ UR - http://www.ibiblio.org/john/pubs/ ER -