Organizing And Analyzing Logdata With Entropy, Sergey Bratus

No ratings

Presented at TROOPERS 2008 by

Sergey Bratus

I will show how entropy, a measure of information content defined by Shannon in 1948, can provide useful ways of organizing and analyzing logdata. In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs. Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views. Our tools and algorithm descriptions can be found at http://kerf.cs.dartmouth.edu