This thesis describes a monitoring tool for analyzing web server log files. This tool has several interesting characteristics. First, it can monitor in real time the requests sent to web servers and send alarms to a system management tool. Second, its layered architecture allows the detection of numerous abnormal events, not limited to requests for vulnerable cgi scripts. Finally, it includes mechanisms for learning of new attacks and for reducing the rate of false alarms. The design and implementation of the tool are described together with the experimental results obtained when the tool was tested at real sites.
By: Magnus Almgren
Published in: RZ3129 in 1999
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .