Identification of intrusion scenarios through classification, characterization and analysis of firewall events

The content analysis of firewall logs is essential (i) to quantify and identify accesses to external and private networks, (ii) to follow the historical growth of accesses volume and applications used, (iii) to debug problems on the configuration of filtering rules and (iv) to recognize suspicious event sequences that indicate strategies used by intruders in attempts to obtain non-authorized access to stations and services. The paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated during one week by the university firewall.

[1]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[2]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[3]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[4]  Ramana Rao,et al.  The Hyperbolic Browser: A Focus + Context Technique for Visualizing Large Hierarchies , 1996, J. Vis. Lang. Comput..

[5]  Sara Stoecklin,et al.  A case-based approach to network intrusion detection , 2002, Proceedings of the Fifth International Conference on Information Fusion. FUSION 2002. (IEEE Cat.No.02EX5997).

[6]  Josef Pieprzyk,et al.  Case-based reasoning for intrusion detection , 1996, Proceedings 12th Annual Computer Security Applications Conference.