chap8.tex

\chapter{Related Work}

Dealing with large audit trails is a problem that security platforms other than Aeolus face as well. In our summarization system, we allow the application to summarize events in the audit trail before deleting or archiving them.

The intrusion detection system BackTracker \cite{backtracker} allows applications to track intrusion points into a system by analyzing operating system events, which are represented as a dependency graph. BackTracker also provides an analysis tool, GraphGen, to analyze those dependency graphs. As those dependency graphs get larger, GraphGen allows a system administrator to trim certain pre-defined events from analysis, as well as allows the administrator to define further events to be trimmed by use of regular expressions. Whereas trimming events allows for dependency graphs to be analyzed faster, there is an associated risk of losing important information when events are trimmed. Furthermore, those events are never fully removed from the system, they are only removed from the analysis tool, and hence the storage space for the audit trail isn't reduced. In contrast, our summarization scheme makes it safer for applications to remove events after summarizing them, while still allowing for the important information contained in those events to be available for analysis through the event summaries.

%Industry systems such as Microsoft Dynamic GP Audit Trails \cite{msft} allow system administrators to backup the log and truncate it. 
The importance of allowing systems that rely on audit trails to reduce the size of the audit trail while still maintaining important information is well-recognized in the research community (\cite{at-red, intro-nist, Lunt1993405}). However, not many systems have been built to address this problem (\cite{ids}). Possible uses of data compression \cite{ids} and artificial intelligence \cite{ai} techniques have been surveyed and discussed to in the past, but to our knowledge none has been implemented.