Applying Term Weight Techniques to Event Log Analysis for Intrusion Detection

by Reuning, John R.

Strong similarities exist between intrusion detection and information retrieval. This paper explores the application of probabilistic information retrieval techniques to log analysis for host-based intrusion detection. Using information retrieval techniques may yield significant improvements to the performance of intrusion detection systems. This paper provides a brief review of current relevant research in intrusion detection and log analysis, introduces information retrieval methods appropriate for intrusion detection, and evaluates the effectiveness an experimental log analysis system using the 1999 DARPA Intrusion Detection Evaluation data sets. The system is based on Bayesian probability theory and uses a TF-IDF term weight measure to identify anomalies.