Research Article
System Anomaly Detection: Mining Firewall Logs
@INPROCEEDINGS{10.1109/SECCOMW.2006.359572, author={Robert Winding and Timothy Wright and Michael Chapple}, title={System Anomaly Detection: Mining Firewall Logs}, proceedings={1st International ICST Workshop on Enterprise Network Security}, publisher={IEEE}, proceedings_a={WENS}, year={2007}, month={5}, keywords={Data mining Firewall log analysis Intrusion Detection}, doi={10.1109/SECCOMW.2006.359572} }- Robert Winding
Timothy Wright
Michael Chapple
Year: 2007
System Anomaly Detection: Mining Firewall Logs
WENS
IEEE
DOI: 10.1109/SECCOMW.2006.359572
Abstract
This paper describes an application of data mining and machine learning to discovering network traffic anomalies in firewall logs. There is a variety of issues and problems that can occur with systems that are protected by firewalls. These systems can be improperly configured, operate unexpected services, or fall victim to intrusion attempts. Firewall logs often generate hundreds of thousands of audit entries per day. It is often easy to use these records for forensics if one knows that something happened and when. However, it can be burdensome to attempt to manually review logs for anomalies. This paper uses data mining techniques to analyze network traffic, based on firewall audit logs, to determine if statistical analysis of the logs can be used to identify anomalies
