Abstract
System log files are valuable assets in detecting security violations and malicious attacks as well as in holding users responsible for their actions. However, the huge size of these logs makes it impractical for system administrators to examine them manually. This leaves potential threats logged but undetected. Several tools exist for automated log analysis and reporting, such as Swatch, Logsurfer, and Logcheck. Most of these tools depend on either detecting patterns of known attacks or eliminating patterns of normal behavior. This research aims to study UNIX system log files and log analyzers, and to present a new method for log analysis. The method is based on a systems access matrix that provides a set of rules for services in the network. For each service listed in the matrix, the rules specify access rights for every user, indicating the source hosts that the user can access that service from, and the destination hosts on which the service can be accessed. A tool called LogMatrix has been developed to examine the system logs and analyze them by comparing the actual events to the rules in the from/to access matrix.
El-Haj Mahmoud, Samer Ahmad (2002). A UNIX security log analyzer based on from/to access matrix. Master's thesis, Texas A&M University. Available electronically from
https : / /hdl .handle .net /1969 .1 /ETD -TAMU -2002 -THESIS -E39.