Academic Blog
Intrusion Detection – the case of Log Analytics (inspired by one of keynotes at SoCPaR 2009)
Hello,
I should start with a short announcement: Malaysia is a beautiful country and Melaka is a beautiful city. I have a friend, who moved from Poland to Malaysia. He keeps repeating: Dominik, do not tell anyone how nice Malaysia is, because then everybody would want to move here. Well, I hope he is not going to read this post… Anyways, attending the SoCPaR 2009 conference at the UTeM was a wonderful experience and I wish to thank the organizers one more time for their great work.
The city of Melaka has been influenced by many nations and cultures. In the same way, SoCPaR is a mixture of diverse aspects of soft computing and pattern recognition. I enjoyed that mixture a lot, listening to invited talks, participating in the panel, and explaining how our technology relates to the conference topics. Out of many presentations, I remember particularly well the one on Collaborative Security Mechanism in Detecting Intrusion Activity. This is because Intrusion Detection is based on Log Analytics – one of our favorite topics at Infobright.
Cyber security-related analysis of logs already has a well-established foundation with respect to data modeling, processing, and mining. In one of my favorite introductory books on this topic, you can find nicely outlined relational schemas related to the log structures and the types of attacks. However, as also discussed in the above-mentioned SoCPaR talk, there may be several types of logs, each of them with a different corresponding data model. Detection of some of these attacks requires looking at all these types of logs in a synchronized way, usually by comparing timestamps. Furthermore, there are two classes of attacks: Fast attacks are detectable within a very short time interval and they are often addressed by the tools of data stream analytics; Slow attacks, on the other hand, correspond to the patterns that can develop over a couple of days, so you need to query quite a lot data (it grows really fast), which is a challenge even if you know exactly what you are looking for (please refer to the differences between specification-based and anomaly-based aspects of intrusion detection).
Of course slow attacks need to be detected as quickly as possible. So, as a summary, there are massive, rapidly growing amounts of log data, to be queried on nearly real-time basis, multi-table (but nothing like star schema if you consider several types of logs), in a mixed, canned / ad-hoc way. Wow! Maybe this is why people claim that slow attacks are harder to be efficiently detected than the fast ones. J
Best greetings,
Dominik
Tags:
OUR BLOGS
RECENT COMMENTS
[#8577] leilaH comments on Web Analytics - Trends
[#8573] Dominik Slezak comments on Welcome Back and Introduction to the Web Intelligence Conference in Toronto, 2010
[#8570] jackeichow comments on CAOS Open Source Adoption Survey
[#8569] jackeichow comments on ICE 3.3 Available for Download
[#8568] jackeichow comments on Welcome Back and Introduction to the Web Intelligence Conference in Toronto, 2010
[#8534] David Lutz comments on VLDB 2009 (update)
[#8533] jeffhardy comments on Infobright On The Cloud
[#8532] MarcinWojnarski comments on The Open Source World keeps growing! - Stay tuned for TunedIT
[#8531] nekojce comments on Organizing data and more about rough data contest
[#8530] nekojce comments on Rough Set Summer
Post Comment