Log Correlation for Intrusion Detection: A Proof of Concept

Cristina Abad, Jed Taylor, Cigdem Sengul, and Yuanyuan Zhou
University of Illinois at Urbana-Champaign

William Yurcik
National Center for Supercomputing Applications

Ken Rowe
Science Applications International Corporation

Intrusion detection is an important part of networked-systems security protection. Although commercial products exist, finding intrusions has proven to be a difficult task with limitations under current techniques. Therefore, improved techniques are needed. We argue the need of correlating data among different logs to improve intrusion detection systems accuracy. We show how different attacks are reflected in different logs and argue that some attacks are not evident when a single log is analyzed. We present experimental results using anomaly detection for the virus Yaha. Through the use of data mining tools (RIPPER) and correlation among logs we are able to improve the effectiveness of intrusion detection systems and reduce false positives.

Keywords: intrusion detection, log correlation, data mining, anomaly detection

Read Paper Read Paper (in PDF)