Abstract | The need for Firewall Log Filter. In many cases, it is possible to detect patterns by browsing the log data but unfortunately it is also tedious. For example, a clever attack against a firewall cluster of an enterprise is scattered over all of its firewalls and executed slowly from several different IP addresses using all the possible protocols alternately. In such situation, we have to use the log filter to collect the correlated IP addresses. The typical size of the firewall log entries was more than 100,000 lines, which were collected during a period of a day. From these entries, with the frequency of equal or greater than 5,000 the FLF was able to identify the pattern and was able to generate a summary. When the frequency was lowered to 50, the FLF also has the ability to ignore generating summaries in order to save computation and analyzing time. |
---|