Audit Log Analysis Using the Visual Audit Browser Toolkit

	James A. Hoagland, Chris Wee, Karl Levitt
	{hoagland,wee,levitt}@cs.ucdavis.edu
	Department of Computer Science
	University of California, Davis
	Davis, CA 95616

			Abstract

This paper describes the design and implementation of the Visual Audit Browser
(VAB) Toolkit, which provides a visual interface for browsing Sun BSM audit log
s.  Applications of the VAB Toolkit include investigating security violations 
and more routine system administration tasks.  The low level of abstraction in
the logs, the large size of the logs, and the lack of association indication
in the logs are some of the difficulties in manually analyzing audit logs,
particularly system-level audit logs.  The tools employ several audit
visualization techniques including graphing, replay of audit events (movies),
hypertext organization, and slicing.  As a result of highlighting relevant
associations between objects and events, the VAB Toolkit allows easier access
to related data than textual browsing.  This allows the user to more easily
reach new and useful conclusions regarding the information presented as well
as to confirm suspected facts.  The tools are also compared to relational
database based audit querying and shown to be an improvement except perhaps
when queries can be easily formulated and not too many associations are needed
to reach the intended conclusions.  Despite the benefits, the users of tools
in the VAB Toolkit are still challenged by the low level nature of BSM auditing
and some of the tools are challenged by scalibility on the size of the log.
However, audit reductions can help mitigate these problems.