Log File Analysis with Context-Free Grammars

Abstract

Classical ways of intrusion analysis from textual communication log files are either AI-based (such as by combinations of data mining with various techniques of machine learning), or they are based on regular expressions (such as the scanners implemented in the CISCO boxes). Whereas AI-based heuristics are not analytically exact, methods based on regular expressions do not reach very far in Chomsky's hierarchy of languages. In this short chapter we describe work in progress on the topic of parsing traces of network traffic with context-free grammars. "Green" grammars describe acceptable log files, whereas "red" grammars represent already known specific patterns of intrusion attempts. This technique can complement or augment the aready existing AI-approaches with additional precision. Analytically it is also more powerful than CISCO's technique on the basis of regular expressions.