Correlation of system events: High performance classification of selinux activities and scenarios

Abstract

This paper presents an architecture for the characterization and the classification of activities occurring in a computer. These activities are considered from a system point of view, currently dealing with information coming from SELinux system logs. Starting from system events, and following an incremental approach, this paper shows how to characterize high-level and macro activities occuring on the system and how to classify those activities. It gives the formal basics of the approach and presents our implementation. The results of experiments uses real samples taken from our honeypot. Correlation results are obtained using a grid computation. Our high performance architecture enables to compute a large amount of events captured during one year on a high interaction honeypot.

Publication
*The 2008 High Performance Computing & Simulation Conference Workshop on Security and High Performance Computing Systems *

Related