ÆCID is a partially self-learning, whitelisting-based anomaly detection system operating on log file collections in computer networks – scalable from small industrial control systems to large-scale enterprise infrastructures. ÆCID digests log output from the network layer (e.g., firewalls, switches, routers) and application layer (e.g., Web servers, DNS, application servers etc.). It detects anomalies of various kinds, including unusual single events, anomalous event parameters, deviating event frequencies, and – most important – suspicious violations of trained event correlations. It can notify operators via numerous channels about discovered anomalies.
Advantages of ÆCID
- Self-learning – no human effort for manual definition of rules, thus easier set up and cost efficient maintenance.
- No specific parsers – ÆCID uses a patented solution to build up system behavior models to understand relevant events and their relations.
- Effective applicability in legacy systems and systems with low market share – through self-learned model instead of manually defined parsers.
- Correlation of events across systems, protocols and layers – ÆCID understands events of varying abstraction levels and can use multiple mining instances for increased scalability.
- ÆCID does not replace an existing security solution – but runs in parallel and can be connected to SIEM Solutions
AECID Demonstration Video
This video shortly introduces the logdata-anomaly-miner (AMiner) and its capabilities. The component allows to create log analysis pipelines to analyze log data streams and detect violations or anomalies. It can be run from console, as daemon with e-mail alerting and interfacing message queues or embedded as library into own programs. It was designed to run the analysis with limited resources and lowest possible permissions to make it suitable for production server use.
Analysis methods demonstrated in this video include:
- Pattern detection similar to logcheck but with extended syntax and options (open-source)
- ComboDetector for the detection of new data elements (IPs, user names, MAC addresses) and their combined occurrences (open-source)
- VariableTypeDetector for statistical anomalies of parameter values, distributions, and frequencies (not open-source)
- CorrelationDetector for generating and checking event correlation rules (not open-source)
The tool is suitable to replace logcheck but also to operate as a sensor feeding a SIEM.
See Documentation and Downloads here.