A method of analyzing computer intrusion detection information that looks beyond known attacks and abnormal access patterns to the critical information that an intruder may want to access. Unique target identifiers and type of work performed by the networked targets is added to audit log records. Analysis using vector space modeling, dissimilarity matrix comparison, and clustering of the event records is then performed.
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
The United States Government has rights in this invention pursuant to Contract No. DE-AC05-00OR22725 between the United States Department of Energy and UT-Battelle, LLC.