Section: Software

LogAnalyzer : a workbench for analyzing log streams

LogAnalyzer is an experimental workbench for validating our scientific results on adaptive intrusion detection [19] . This software offers two possible uses: off-line and interactive computation of intrusion diagnosis, and on-line intrusion detection dedicated to the processing of massive data streams.

The software is organized in three layers:

• the adaptive intrusion detection layers: it constitues the core API which implements the multi-diagnoser adaptive diagnosis approach (see 6.2.1 ).

• the applicative layer: it applies the core API to the structure of the log data. In our software, we developed this layer to detect intrusions in Apache HTTP logs,

• the graphic user interface layer for off-line and interactive analysis.

The adaptive diagnosis layer is not dedicated to Apache HTTP logs processing. This layer is stand alone and can be easily instantiated to other kinds of streams of structured data. A multi-threaded framework organizes multi-diagnosers and meta-diagnoser processing and adaptations triggering. The concrete implementations of diagnosers are components of an application layer dedicated to a specific kind of data stream.

The GUI the software provides several applicative features:

• anonymization: logs may be anonymized to cope with (client and server) privacy issues,

• server activity reporting: a module draws the curves of the evolution of the web server activity (number of requests per time unit, number of bot requests, ...),

• access logs browsing and annotating: three log views (sequential view, transactional view and server image view) are provided to aid the user browse huge amount of data. In particular, this tool can help her/him to identify intrusions manually and to label them.

The software has been developed in C++/Qt4 and is still under improvement. The following website is devoted to the presentation of the LogAnalyzer : http://www.irisa.fr/dream/LogAnalyzer/ .