System Anomaly Detection: Mining Firewall Logs

Abstract

This paper describes an application of data mining and machine learning to discovering network traffic anomalies in firewall logs. There is a variety of issues and problems that can occur with systems that are protected by firewalls. These systems can be improperly configured, operate unexpected services, or fall victim to intrusion attempts. Firewall logs often generate hundreds of thousands of audit entries per day. It is often easy to use these records for forensics if one knows that something happened and when. However, it can be burdensome to attempt to manually review logs for anomalies. This paper uses data mining techniques to analyze network traffic, based on firewall audit logs, to determine if statistical analysis of the logs can be used to identify anomalies