论文信息 - Filtering events using clustering in heterogeneous security logs

Filtering events using clustering in heterogeneous security logs

Log files are rich sources of information exhibiting the actions performed during the usage of a computer system in our daily work. In this study we concentrate on parsing/isolating logs from different sources and then clustering the logs using data mining tool (Weka) to filter the unwanted entries in the logs which will greatly help in correlating the events from different logs. Unfortunately parsing heterogeneous logs to extract the attribute values becomes tedious, since every type of log is stored in a proprietary format. We propose a framework that has the ability to parse and isolate a variety of logs, followed by clustering the logs to identify and remove unneeded entries. Experiments involving a range of logs, reveals the fact that clustering has the capacity to group log entries with a higher degree of accuracy, thereby assisting to identify correctly the entries to be removed.

Abdul Azim Abd Ghani | Nur Izura Udzir | Asif Iqbal Hajamydeen | Ramlan Mahmod

[1] Dario Forte. The “ART” of log correlation: part 1 , 2004 .

[2] Anil K. Jain. Data clustering: 50 years beyond K-means , 2010, Pattern Recognit. Lett..

[3] Jung-Min Park,et al. An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[4] Somesh Jha,et al. A Declarative Framework for Intrusion Analysis , 2010, Cyber Situational Awareness.

[5] Yue-Shi Lee,et al. Cluster-based under-sampling approaches for imbalanced data distributions , 2009, Expert Syst. Appl..

[6] Nur Izura Udzir,et al. A K-Means and Naive Bayes Learning Approach for Better Intrusion Detection , 2011 .

[7] Dhruba Kumar Bhattacharyya,et al. Anomaly Detection Analysis of Intrusion Data Using Supervised & Unsupervised Approach , 2010, J. Convergence Inf. Technol..