Proceedings of the 13th USENIX Security Symposium
Kerf is a toolkit for post-hoc intrusion analysis of available system logs and some types of network logs. It takes the view that this process is inherently interactive and iterative: the human analyst browses the log data for apparent anomalies, and tests and revises his hypothesis of what happened. The hypothesis is alternately refined, as information that partially confirms the hypothesis is discovered, and expanded, as the analyst tries new avenues that broaden the investigation.
Aslam, Javed; Bratus, Sergey; Kotz, David; Peterson, Ron; and Rus, Daniela, "Kerf: Machine Learning to Aid Intrusion Analysts" (2004). Open Dartmouth: Faculty Open Access Articles. 3077.