1st International ICST Workshop on Enterprise Network Security

Research Article

System Anomaly Detection: Mining Firewall Logs

  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359572,
        author={Robert Winding and Timothy Wright and Michael  Chapple},
        title={System Anomaly Detection: Mining Firewall Logs},
        proceedings={1st International ICST Workshop on Enterprise Network Security},
        publisher={IEEE},
        proceedings_a={WENS},
        year={2007},
        month={5},
        keywords={Data mining Firewall log analysis Intrusion Detection},
        doi={10.1109/SECCOMW.2006.359572}
    }
    
  • Robert Winding
    Timothy Wright
    Michael Chapple
    Year: 2007
    System Anomaly Detection: Mining Firewall Logs
    WENS
    IEEE
    DOI: 10.1109/SECCOMW.2006.359572
Robert Winding1,*, Timothy Wright2,*, Michael Chapple3,*
  • 1: University of Notre Dame, 232 Info Technology Cntr, Notre Dame
  • 2: University of Notre Dame, 402 Grace Hall, Notre Dame
  • 3: University of Notre Dame, 233 Info Technology Cntr, Notre Dame
*Contact email: rwinding@nd.edu, twright@nd.edu, mchapple@nd.edu

Abstract

This paper describes an application of data mining and machine learning to discovering network traffic anomalies in firewall logs. There is a variety of issues and problems that can occur with systems that are protected by firewalls. These systems can be improperly configured, operate unexpected services, or fall victim to intrusion attempts. Firewall logs often generate hundreds of thousands of audit entries per day. It is often easy to use these records for forensics if one knows that something happened and when. However, it can be burdensome to attempt to manually review logs for anomalies. This paper uses data mining techniques to analyze network traffic, based on firewall audit logs, to determine if statistical analysis of the logs can be used to identify anomalies