engleski

Detecting network applications using firewall logs

Every day, many firewall logs are generated that contain a lot of useful information about devices and applications in the network. In this paper, we try to detect network applications using only data in firewall logs. Detection of such applications could be used for audit, gaining a better visibility into the network, and to create better firewall policies. Two approaches were implemented for network application detection, one based on the classification methods and the other based on distances between samples using three different metrics. The methods we experimented with were based on ports and IP addresses only. The analysis of ports was done to reduce the number of different ports used as features for classification. In addition to the methods implemented, a measure of certainty was developed based on the number of different ports used for classification. Based on the partial knowledge of the target environment, the methods were continuously improved, from which conclusions were drawn and results presented. In reviewing the results, an analysis of the results of the two approaches was carried out. The approaches were compared based on the advantages and disadvantages of each approach in terms of the information they provide.

network applications ; firewall ; logs ; classification

nije evidentirano