Kerf, a security-log visualization tool (2003-2005)

This project is no longer active; this page is no longer updated.

Related keywords: [security]


The text on this page was written contemporaneous to the project.

Kerf (formerly known as Sawmill) is a set of tools designed to help system administrators analyze intrusions in their network of workstations. Our tools collect host and network log data in secure databases, allow administrators sophisticated searches using our SQL-language variant (SawQL, pronounced saw-kwill), and present the results through a browsable graphical interface. We view the SawQL inquiry as a representation of the sysadmin's hypothesis about the intrusion; our tools interactively refine that hypothesis to a more precise picture of the attack. All results may be recorded for future reference or referral to authorities.

Project Goals


Answer questions:

More Specifically:

Research Outcome

New Intrusion Analysis Tools

Old Process

Iterative hypothesis refinement

New Process

Iterative hypothesis refinement

Automated hypothesis refinement

Unique Contributions and Deliverables

Relevance (Government and Industry)

Relationship with other projects

Intrusion detection systems

Internet Detection Working Group of Internet Engineering Task Force

MIT Lincoln Labs




Talk slides


Jay Aslam, Sergey Bratus, Marco Cremonini, David Kotz, Kevin Mitcham, Ron Peterson, Daniela Rus, Brett Tofel, and students Kyle Smith, Virgil Pavlu, and Wei Zhang.

Funding and acknowledgements

The Kerf project was supported by ISTS with funds from the DHS Science and Technology Directorate.

The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).

Papers (tagged 'kerf')

[Also available in BibTeX]

Papers are listed in reverse-chronological order. Follow updates with RSS.


[Kotz research]