[logs] SIM solution - Objectives ?
Mikael Kuisma
kuisma at ping.se
Mon Jun 4 12:41:11 PDT 2007
Hello Stefano!
On 6/4/07, Stefano Zanero <zanero at elet.polimi.it> wrote:
> Mikael Kuisma wrote:
> > Hi Saudi,
> >
> > To detect changes in your network configuration based on firewall logs,
> > you can use the ASDIC network traffic analysis system. It registers the
> > standard traffic and reports changes, based on whatever criteria of you
> > choice. Works fine of both Stonegate and Firewall-1 logs. It uses a
> > quite neat (and as far I know, unique) mechanism of aggregating
> > relating log entries, keeping the output short and concise.
>
> It looks to me a rather rough attempt to replicate early '90s research
> on anomaly detectors...
The only other system I have seen being able to by it self aggregate
related traffic flows is a system called AutoFocus from UCSD
(http://ial.ucsd.edu/AutoFocus/), but it suffers from other severe
scalability problems rendering it more or less useless to detect
anomalies.
If you have some references to similar systems, I'd be more then happy
if you could mail me (or the list) them!
Thanks,
Mikael Kuisma, Ping
More information about the LogAnalysis
mailing list