Identification of intrusion scenarios through classification, characterization and analysis of firewall events

Abstract

The content analysis of firewall logs is essential (i) to quantify and identify accesses to external and private networks, (ii) to follow the historical growth of accesses volume and applications used, (iii) to debug problems on the configuration of filtering rules and (iv) to recognize suspicious event sequences that indicate strategies used by intruders in attempts to obtain non-authorized access to stations and services. The paper presents an approach to classify, characterize and analyze events generated by firewalls. The proposed approach explores the case-based reasoning technique to identify possible intrusion scenarios. The paper also describes the validation of our approach carried out based on real logs generated during one week by the university firewall.