Hierarchical object log format for normalisation of security events

The differences in log file formats employed in a variety of services and applications remain to be a problem for security analysts and developers of intrusion detection systems. The proposed solution, i.e. the usage of common log formats, has a limited utilization within existing solutions for security management. In our paper, we reveal the reasons for this limitation. We show disadvantages of existing common log formats for normalisation of security events. To deal with it we have created a new log format that fits for intrusion detection purposes and can be extended easily. Taking previous work into account, we would like to propose a new format as an extension to existing common log formats, rather than a standalone specification.

[1]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[2]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[3]  Donal Casey Log Management: Turning log files into a security asset , 2008 .

[4]  Ping Pan,et al.  Internet Engineering Task Force , 1995 .

[5]  Yuri Demchenko,et al.  The Incident Object Description Exchange Format , 2007, RFC.

[6]  Gilbert Moïsio,et al.  Internet Engineering Task Force , 2014 .

[7]  Christoph Meinel,et al.  An Extensible and Virtualization-Compatible IDS Management Architecture , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[8]  Liu Yang,et al.  Fast submatch extraction using OBDDs , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).