The Kerf Toolkit For Intrusion Analysis

Abstract We consider the problem of intrusion analysis and present the Kerf Toolkit , whose purpose is to provide an efficient and flexible infrastructure for the analysis of at - tacks The Kerf Toolkit includes a mechanism for se - curely recording host and network logging information for a network of workstations, a domain - specific language for querying this stored data, and an interface for viewing the results of such a query, providing feedback on these re - sults, and generating new queries in an iterative fashion We describe the architecture of Kerf, present examples to demonstrate the power of our query language, and discuss the performance of our implementation of this system