Whodunnit?: an intrusion analysis system

Intrusion analysis has traditionally been a very arduous and largely manual task. The reasons vary from insufficient logs to lack of proper tools for analysing the available audit logs. In our work, we hope to build an intrusion analysis system that could provide precise answers, efficiently, to the most commonly asked questions by the system administrators investigating an intrusion. We take the view that, the failings of today's intrusion analysis tools can be largely attributed to insufficient auditing. In our work, we capture all the necessary dependency relationships between the system events so that precise intrusion analysis is possible.