A Declarative Framework for Intrusion Analysis

Matt Fredrikson

Abstract: In this paper we consider the problems of intrusion analysis, understanding, and recovery. More specifically, we identify the various difficulties associated with these problems, and propose a solution based on system events and the dependencies between them for simplifying our motivating problems. We then present a tool we have designed called SLog that presents a system administrator with all of the facilities required to analyze the event information present in system logs, and present only the event information pertinent to an intrusion in a vastly simplified manner. We discuss the ways in which the major design goals of SLog - simplicity, extensibility, and scalability - are important when dealing with intrusions in realistic scenarios. Finally, we demonstrate the ability of SLog to accurately return a simplified view of the relevant events in a realistic intrusion case study.

Available as: PDF

Click here to download our software.

Click here to download our powerpoint slides.