Abstract
The central role of audit trails, or (more properly) logs, in security monitor-
ing needs little description, for it is too well known for any to doubt it.
Auditing, or the analysis of logs, is a central part of security not only in
computer system security but also in analyzing financial and other non-technical
systems. As part of this process, it is often necessary to reconcile logs from
different sources.
Consider for example intrusion detection over a network. In this scenario,
an intrusion detection system (IDS) monitors several host on a network, and
from their logs it determines which actions are attempts to violate security
(misuse detection) or which actions are not expected (anomaly detection). As
some attacks involve the exploitation of concurrent commands, the log records
may involve more than one user, process, and system. Further, should the system
security officer decide to trace the connections back through other systems,
he must be able to correlate the logs of the many different heterogenous systems
through who the attacker may have come.