Today I am happy to release what I consider to be my most interesting old presentation - a full slide deck on log mining. It covers a few years of my research into using simple data mining techniques to analyze logs stored in a relational database. It even comes with examples of real intrusions caught by my algorithms as well as tips on reproducing my results in your environment.
Here is the abstract: "The presentation will describe methods for discovering interesting and actionable patterns in log files for security management without specifically knowing what you are looking for. This approach is different from "classic" log analysis and it allows gaining an insight into insider attacks and other advanced intrusions, which are extremely hard to discover with other methods. Specifically, I will demonstrate how data mining can be used as a source of ideas for designing future log analysis techniques, that will help uncover the coming threats. The important part of the presentation will be the demonstration how the above methods worked in a real-life environment."
As you know, I have long been a fan of using (eh, make that "trying to use" :-)) data mining techniques for log analysis, since I see the questions such as "what do I search for?", "what report to run?", "what alerts to define?" (see some discussion here) as inherently too hard. Log mining hold a promise to automate answering these question and thus move log analysis beyond choosing and then running reports, alerts and correlation rules.
Enjoy the slides!