Using Hidden Markov Model in Anomaly Intrusion Detection

¡¡

Using Hidden Markov Model in

Anomaly Intrusion Detection

Content:

Hidden Markov Model (HMM) description
Using HMM model to modeling user¡¯s behavior
Using Hidden Markov Model to do Intrusion Detection on SIAC log data
Why HMM failed in doing anomaly detection for SIAC log data?

Abstract:

¡¡

Hidden Markov Model (HMM) has been successfully used in speech recognition and some classification areas. Since Anomaly Intrusion Detection can be treated as a classification problem, we proposed some basic idea on using HMM model to modeling user's behavior. Then we tried HMM modeling on the real SIAC company log data. The results are not good, the reasons are: 1. SIAC data gives us too little information that can distinguish normal behavior and anomaly behavior; 2. Anomaly Intrusion Detection is a very hard topic. By now, it is still in academic research area without real application; 3. HMM is suitable for one-dimension sequence classification, like voice wave or spectrum. Typical anomaly detection data are multi-dimensional sequences with continuous and discrete variables mixed together. It seems that HMM is not quite suitable for anomaly intrusion detection task.

1. Hidden Markov Model Description

The Hidden Markov Model is a finite set of states, each of which is associated with a (generally multidimensional) probability distribution. Transitions among the states are governed by a set of probabilities called transition probabilities. In a particular state an outcome or observation can be generated, according to the associated probability distribution. It is only the outcome, not the state visible to an external observer and therefore states are ``hidden'' to the outside. This is what the name Hidden Markov Model comes from.

Traditionally, people have used Markov model to successfully model a lot of real world processes. But for some other processes, the strict assumption of Markov that next state is dependent only upon the current state will not hold, thus we need to find more generally models to deal with these processes while at the same time withhold some good properties of Markov model. These principles motivated people to generate the Hidden Markov Model. Hidden Markov Model is a double embedded stochastic process with two hierarchy levels. The upper level is a Markov process that the states are unobservable. Observation is a probabilistic function of the upper level Markov states. Different Markov states will have different observation probabilistic functions.

The two hierarchy-level structure is the main idea and advantage of HMM. It can be used to model much more complicated stochastic processes than traditional Markov model. In speech recognition, HMMs have been widely used for analysis human auditory signals as speech patterns [1]. In modeling dynamic human control strategy, [2] uses HMMs to classify different human¡¯s behavior patterns. Transient sonar signals are analyzed with HMM for ocean surveillance [4]. [5] analyzes 30-electrode neuronal spike activity in a monkey¡¯s visual cortex with HMMs. [6] classifies task structure in teleoperation based on HMMs. [7] uses HMMs to characterize sequential images of human actions.

2. Using HMM model to modeling user¡¯s behavior

In Intrusion Detection research, nowadays people mainly put their effort on Misuse Detection direction since it is strait forward and easy to implement. But it has the inherent disadvantage. It is difficult to gathering required information on known attack (you must check content of TCP packet and maybe not enough). The most severe disadvantage is that it possibly can¡¯t detect attempts to new and unforeseen vulnerabilities[4].

So we should also do research on Anomaly Detection approach. Here we will make some effort to do user-based anomaly detection. That means we don¡¯t use our method to detect all class of intrusion actions, we only use it to detect who illegally log in as a local user or root of a system.

In order to modeling normal user¡¯s behavior, we believe a good model should be able to give a reasonable explanation of the real system. Here we think Hidden Markov Model can satisfy this condition.

(1). First, a computer user of a system should have some kind of routine behavior, especially for long-term computer users. ---- This is what anomaly detection IDS based on.

(2). Each user when he use computer, he should be in some kind of state, this state correspond to what he currently mainly want to do. For example, at one time, the user wants to browse web sites for shopping or fun, at another time, he wants to make programming or play network game, etc. In each state, the user will mainly do some correspondent commands or actions to this state and this domain command type is different with other states. So from statistic aspect, the distribution of every kind of connections or commands in each state will be different from other states.

(3). Transition from one state to another can be treated roughly as a modified Markov process. For the state duration time, we treat it as Gaussain distributed since human doing a task is not without remembering, so we can¡¯t use exponential distributed. On state transition decision, because human usually make decision on which task he will do next based on the previous several tasks he has done, not as Markov process that only based on current state. So we treat the transition probability with conditional transition. We can do these modifications and still use it, like what has been used in speech recognition [1].

So from above three aspects, we believe HMM can be used to model computer user¡¯s behavior in a fairly understandable and accurate way.

2.1 Where can we use HMM in Intrusion Detection?

Since HMM is used to modeling normal user¡¯s behavior, using HMM is an anomaly intrusion detection method, belong to anomaly intrusion detection systems.

We don¡¯t use HMM to model outsider users who didn¡¯t login as a local user. In our approach, abnormal intrusion detection systems use HMM to model local legal user¡¯s behavior. Once a local user login, the IDS will track the user¡¯s actions until he logout. Comparing with the HMM model of this user, it can know whether this connection is abnormal or not.

The system can detect two classes of intrusion. One is the abnormal usage by local users, the other is the illegal outsiders who go through some ways to have access the local user account or privilege. For the second detection, it is based on the fact that an intruder¡¯s behavior when he use a local user¡¯s account will be significantly different from the normal user.

It should be noted that it is not suitable to use Anomaly Intrusion Detection to detect every kinds of intrusion. It has the following reasons:

1. The large amount of connections through network, for example, an on-line store maybe have thousands connection from different users at the same time, the computation overhead to check each user¡¯s behavior is unfeasible.

2. Comparing with normal user¡¯s connections, the intrusion events are rare events. So making every judgment on every user¡¯s connection will either generate a large false alarm rate or miss some intrusions. This can be explained intuitively by information theory: every connection has great possibility to be normal connection, if you check them one by one to judge if they are normal user¡¯s connections, you spend a lot of energy to make almost sure decision, i.e., you get very little information through each judgement.

3. Hacker can spoof the source IP address of intrusion connections, like Land attack, etc. So from network audit data you may not be able to distinguish one user from another.

So in IDS, we should use AD-IDS combined with Misuse Detection IDS (MD-IDS). Each one concentrates on different aspect of audit data to detect different classes of intrusion.

For example, on DARPA intrusion evaluation program^[2], basically, it gives 4 classes of intrusion actions. They are:

(1). Denial of Service (DoS).

(2). User to Root (U2R).

(3). Remote to Local (R2L).

(4). Probes.

In the U2R attack, hacker starts from a user account to gain root access in local system; in the R2L attack, an attacker through network gains local access as a user of local system. In both attacks, the hacker will behave as a local user before or after he attack. The hacker¡¯s behavior will be different from normal user and can be recorded down in audit data. Like their login time, command type, each command time, etc. Thus, for these two classes of intrusion, it is suitable to use AD-IDS and we can construct HMM model to match each user¡¯s behavior. This kind of approach is feasible for:

(1). As stated above, HMM is well fitted and reasonable to model human behavior. We can use some mature statistic and stochastic technique in processing the large amount of audit data.

(2). For a local system, the normal users account number is limited and not very large. The normal user account means user who can login and get access the local system resources and can do some operations, not include the enormous online account. (For example, the users of a bank account.) Thus we can build different HMM models for different users, the computation of IDS is feasible and can be used on-line.

If the user number is large, we can build each HMM model for more than two users who have similar behavior. Of cause, this type of modeling will probably has larger false alarm rate than the previous one.

In the other two classes of attack, DoS and Probes, it is suitable to use Misuse Detection IDS since the attackers do not login as a local user and they can spoof their identifications. Misuse Detection IDS usually collect enough information about connections in audit data and make decision based on some kinds of knowledge, or rules. But in this area, careful hacker can change their attack behave style, or embed their action steps into normal traffic to make it more like normal connection. How to construct more comprehensive rules to deal with these is still open research problem.

2.2 How to use HMM to model user behavior?

Here we try to present some descriptions of the specific hidden Markov model we will use in modeling normal user¡¯s behavior on computer network. We will not just take in the original HMM model in anomaly detection. In stead, we will make some necessarily modifications to the HMM to make it more precisely in describing user¡¯s behavior.

1). How to select state number?

As we have discussed above, the state in our model represent an abstract relatively stable status of a computer user, corresponding what the user currently mainly want to do. From audit data point of view, it means each state mainly have different type of commands. For example, when a user current state is in doing programming, most commands will be edit and running C language; when he change to browse web site and deal with email, most commands will be HTTP and SMTP type.

So after investigating each user¡¯s behavior (like do interview with each user), it is not difficult for a system manager to select how many state a pacific user¡¯s HMM model should have. And the system manager can also determine if he should merge two or three users into one group if they are similar behaved and decide the state number.

2). The critical states in HMM model¡ªinitial state & user to root state.

Since every user¡¯s action will always begin after login (we do not consider if he has first accessed the local system as an outsider or not), so we add the login as an initial state to the HMM model. The initial state is the entry state, it record some information of the user, such as user name, login time, source IP address, login failure times, etc.

The initial state is an important state, it is roughly the first security gate. Here we can take in some Misuse Detection idea to check the user¡¯s suspicious rate based on knowledge and rules. This is the first ¡°burglar alarm¡± trigger^[1] implement in our anomaly detection.

Actually we will put a lot of good misuse detection technique in our modeling and IDS, although our system is anomaly detection IDS. These two methods should be cooperated and combined tightly to make better performance.

Among all the intrusion actions, a large percent of them is to illegally gain root access into a local computer system, either from a local user account (e.g., U2R) or directly from outside (e.g., R2L). So adding a burglar alarm trigger on the change to root privilege is very important [3]. We add a state correspond to this, called user-to-root state. Like in the Bottleneck Verification [3], the state record information about how root privilege obtained. Then we can match if this transition state is similar with this user¡¯s normal transition to root. In the overall HMM model matching algorithm, we will put heavy weight on this state matching score. If a user usually log in as a supervisor, then the user-to-root state is the same as the initial state.

3). How to partition commands sequence in audit data into discrete states?

In discrete hidden Markov model, each state will only give out one observation, then state will transfer to another state or itself. But here in our model, each state will give out a lot of observations, i.e., computer commands. So when we check the audit data with the user¡¯s HMM model, we must first to partition the audit data commands sequence into discrete groups to do state matching.

We know that different state has different type of dominant commands. For example, in file manage state of a root, the file processing commands will be seen with very high frequency while in web browsing state, the http commands will be frequently used. Here we use ¡°window¡± concept in our model. For example, if in the last 20 commands sequence the dominant command type has changed from A to B, then we know that the state has transferred from state A to state B. Here we can use two type of window: time window and commands number window. The above example is a commands number window. The time window is to check commands sequence in last fixed time interval. We will do further research and experiments to see which one is better.

4). What information should be recorded in state?

The simplest way is to just record the distribution of different commands name in a state. This is what an ordinary HMM model will do. But for intrusion detection, this is surely not enough. In order to make more accurate detection, we should use some rule-based detection technique^[5] to add some features. Such as: command duration time, state duration time (exponential distributed), overall command number, number of ¡°hot actions¡± (e.g., access to system directories, creation and execution of programs, etc), number of access to ¡°access control¡± files (e.g., /etc/passwd, .rhosts), etc. How many features should be included will be determined by user¡¯s number, state number and false alarm rate.

2.3 How to use training data to train HMM models?

In order to make more accurate HMM model for user¡¯s behavior, and also for the model to be adaptive, we must find algorithm to train HMM model by training data.

From above discussion, we have known that the state number is pre-determined and need not to change in training. Since we have partitioned the audit data commands sequence into separate parts, and each part has its own domain command type, so it is easy to know which state the user transfers. It means that not like ordinary hidden Markov model, which the state is unobservable, here Markov state is almost sure observable. So the state transition probability and state duration time can be easily calculated from training data.

For each state information, the distribution of commands can be easily obtained by calculated their frequency. For other parameters, such as the command duration time, hot actions number, accessing critical file number, we can treat them as Gussian distribution. This kind of approximation is reasonable and simple to implement.

It should be noted that since most parameters in HMM have physical meaning, the system manager can set the initial value of these parameters in advance. So the training task will be light-burdened and more efficient.

2.4 How to determine if a user¡¯s behavior is anomaly by matching HMM model?

Since our HMM model has modified a lot from original model, the matching criterion is not simply to calculate the probability of the observation sequence by given the model.

We compute a suspicious score for the matching process. The critical state, i.e., the initial state and user-to-root state has higher weight factor while other state has lightweight factor. Each state has its own suspicious rate score, computed by summating the score of difference between each parameter with its observation value.

Then we compare the suspicious score of this user with a threshold level. The threshold level is the trade off between false alarm rate and detection completeness.

Now we give out the suspicious score formula of a matching process in detail. From probability theory, every parameter in HMM model is a stochastic variable. We treated all parameters as Gaussian distributed, such as state duration time, hot actions number, overall commands number, etc. This is a reasonable and simple way. So in HMM model, each parameter in a state has its own expectation value and variance value.

Let be the suspicious score of an HMM model. The model has states, the user¡¯s behavior has been recorded in audit data. After preprocessing, the user¡¯s action sequence is divided into parts, corresponding that he has state transition.

The formula of suspicious score is:

: the probability of state transition from state to state .

: the weight factor of state ( the user-to-root state and initial state have larger ).

: the suspicious score of state comparing with the kth observed state.

For example, if a user¡¯s observed action sequence is , then the is:

, is the suspicious score obtained by comparing state 2 with two different parts in user¡¯s action sequence.

Suppose there are parameters in state , each parameter has expectation and variance , the observed value of parameter is , then can be calculated as:

Where is the weight factor of parameter .

The weight factor and can be set by system manager and be modified from training.

3. Using Hidden Markov Model to do Intrusion Detection on SIAC log data

3.1 Background: SIAC log data description.

SIAC log data contains two parts: normal and abnormal part. In abnormal part, there are some kinds of intrusion attempts in it. Our mission is to find out where these intrusion attempts are in the abnormal data part. Normal data part can be used as training data. They are one-day log data from SIAC Company.

In SIAC log data, each line is a log event, one connection (like http connection) can contains one to several log events. Most of these connections are http connections, others are ftp, smap, sendmail, etc. Different connection type has very different logged information.

The following table summarize the amount of log events of each connection type in these log data:

	Normal log data	Abnormal log data
Http-gw	2026074	596611
tn-gw	348	100
Smap	244	184
Sendmail	162	38
ftp-gw	102	34
Smapd	43	28
Vmunix	152	0
Syslog	75	0
Last message repeated	0	2
UDP scanned by ISS	0	10

Table 1. SIAC log data information

3.2 Procedure of using HMM dealing with SIAC log data

First, we must do a lot work on preprocess the SIAC source log data. In order to use HMM to do classification, the preprocessed data should contains each connections common attributes, like the timestamp, the connection types, connection lasting time, successful or not, etc. Unfortunately, it is not feasible and we have to ignore none-http connection data. The reasons for doing this is:

(1). The logged information of none-http connections are totally different from http connections and we can't find any common attribute except the connection timestamp and connection lasting time. If we want to consider some other information in http connection, we have to ignore none-http connections.

(2). HMM is a statistical model. But here more than 99.8% of SIAC data are http connections while all other types of connection occupy only less than 0.2%. So the none-http connections will be so rare events that they will not be exhibited by any statistical model if we combined them with those huge amount of http connections.

(3). From Table 1, we know that none-http type connections are less than 100-400, they are not enough for statistical analyze. (e.g., the "UDP scanned by ISS" event, can we say that all 10 events of it in abnormal data are all intrusion?)

Second, after we erased all none-http connections, we subtract 7 common attributes of each http connections. They are:

¡¤ Timestamp of each connection

¡¤ Connection lasting time

¡¤ Real data bytes that come in

¡¤ Real data bytes that come out

¡¤ Normal http or Secure Socket Layer(SSL) http

¡¤ Connection permitted or denied or failed

¡¤ User is normal user or unauthorized.

We can see that the first four attributes are continuous variables while last three attributes are logical variables.

We didn't include the Web server IP addresses in our data because of two reason: first, the IP addresses in our data are in digital IP form or name form, it is very difficult to convert them to each other; second, the Web IP addresses are so huge that it is too big for the following HMM process.

Third, in order to use HMM, we must do Vector Quantization on the above http connection attributes vector sequence data. Here the VQ method has some problem. Because the last three attributes are logical variables, so they only need 2 to 3 codebook indexes. The first four are continuous variables that have 0 to 1e6 values, so the VQ codebook indexes must be very large. Here since we use a single HMM model to model normal behavior, they must use the same codebook domain.

Fourth, use the normal http connection vector sequence data to train HMM model. The data is multidimensional vector sequence data so we use the method of reference [2](as my last semester term paper).

Last, we use the trained HMM model to process abnormal SIAC data part. We cut the abnormal data into equal length segments, each segment contains 10 http connections. Then use the trained HMM to parse each segment data to get the possibility of this segment data being generated from the normal behavior HMM model. If the possibility is lower than a threshold, then we can say that this segment data contains abnormal connections, i.e., find out where intrusions are.

4. Why HMM failed in doing anomaly detection for SIAC log data?

(1). In preprocess, too much information has been ignored.

SIAC data contains mainly two part, http connection and none-http connection, http connections occupy 651393 connection, while none-http connection only has 1328 items in normal data. Less than 0.2%, So the none-http connection can't be contained in data process because of its rare not enough for statistical approximate.

But the most likely intrusion is in none-http connection. It's seems not likely in http connection. So just deal with http data is not a right way.

Second, when I deal with http connection, too much information has been ignored. Because we must find common attribute in all http connection, so the IP addresses, the proxy IP addresses have all been ignored. The connection details in Secure Socket Layer http connection are very complicated and so are totally ignored. Such coarse pre-filter is not a right way but I have no other method to deal with it.

(2). Problem of HMM---- How to deal with not comparable items in a vector sequential data?

The preprocessed data of SIAC http connection is a vector sequential data, but different items in it have totally different numerical domain. The last three attributes are of 1/2/3,while the first four attributes are all varied from 0 to 10e6.

But if I use the same method of reference [2]( as my term paper's method). The vector items must vector quantazied into the same domain. Since items in the vector hasve totally different domain, this is not a suitable VQ method.

(3). Classify vs. Intrusion Detection.

Original, we use HMM to do classification, that is , to decide one whole sample data belong to which one of several systems. That means, the whole sample data is generated from one system, so the whole sample data always contains characteristics of that system. We make classification by investigating the whole sample path that has enough statistical information for us to use.

But here, we need to classify into two classes (normal or abnormal) by dealing with just one abnormal SIAC data. That means, this sample data contains both classes data, we need to find out segments that belong to one class while other segments that belong to another class. So we must make decision by only investigating a small segment data, which may not contains rich statistical information of a class thus we will make a lot of false decisions.

(4). Problems of Statistical Anomaly Intrusion Detection.

Statistical Anomaly Intrusion Detection is based on statistic analyses, which need a large amount of sample data. It means two things: First, it requires we should have statistically enough normal behavior data for training, which sometimes is very difficult to be obtained; Second, it means in order to find if there are intrusions in a segment of test data, the data segment must also be large enough for statistical analysis. Otherwise, there will not be enough statistical information in the test data segment to get rid of stochastic error.

On the other hand, if we make the test data segment long enough for statistical analysis, we maybe can only determine that if there are abnormal behaviors in this large segment data but can't tell where they are inside this large segment and what kind of intrusion it is. The workload left for rule-based intrusion detection system or human experts will be very large, because no other guideline is provided for them.

The large false alarm rate is another problem for anomaly intrusion detection. First, it is because the normal behaviors vary a lot except for some specific regularly services; Second, the normal training data may not contains all statistical information of all normal behaviors; Third, the test data segment may not be long enough for statistical analysis.

Another problem is the log data. If it does not contain enough information to make any difference between normal and abnormal behavior, there will be no way to find intrusions. Of cause this is a common problem for any kind of data analysis.

References

[1]. L.R. Rabiner. A tutorial on Hidden Markov Models and Selected Applications in Speech Recognition", Proc. IEEE, vol. 77, No.2, 1989.

[2]. M.C. Nechyba, Y. Xu. Stochastic Similarity for Validating Human Control Strategy Models.

[3]. A.K. Ghosh, et al. Learning Program Behavior Profiles for Intrusion Detection, Proceedings of Workshop on Intrusion Detection and Networking Monitoring, USENIX association 1999.

[4]. A. Kundu, G. C. Chen and C. E. Persons. Transient Sonar Signal Classification Using Hidden Markov Models and Neural Nets. IEEE Journal of Oceanic Engineering, 19(1):87-99, 1994.

[5]. G. Radons, J. D. Becker, B. Dulfer and J. Kruger. Analysis, Classification and Coding of Multielectrode Spike Trains with Hidden Markov Models. Biological Cybernetics, 71(4):359-373,1994.

[6]. B. Hannaford, P. Lee. Hidden Markov Model Analysis of Force/Torque Information in Telemanipulation. Int. Journal of Robotics Research, 10(5): 528-539, 1991.

[7]. J. Yamato, S. Kurakakae, A. Tomono, K. Ishii. Human Action Recognition Using HMM with Category Separated Vector Quantization, Trans. Institute of Electronics, Information, and Communication Engineers D-II, J77D-II(7): 1311-1318,1994.

Appendix A: some results from DARPA 99 intrusion detection evaluation

Fig. 1 Fig. 2 Fig.3

Fig.1 : RST-elman neural networks [3].

Fig.2 : UCSB Ustat

Fig.3 : Gorge Mason audit data analysis and mining

From above figure, we can see that the RST elman networks who using BP neural network to do anormaly detection has too many false alarms 4627 for only 23 real attacks. It just displays that their method is failed.

Fig 3 has 16 False alarms for 102 real attacks, but the detection rate is low, only 42%. Fig 2 seems very good. High detection rate with

Fig.1 is anomaly detection, the other two are all rule-based IDS.

Appendix B: Sample of SIAC log data.

1. two normal http connection:

May 4 04:23:34 pub http-gw[28660]: permit host=nodnsquery/162.69.5.7 use of proxy

May 4 04:23:34 pub http-gw[28660]: connecting to host catalog.entrypoint.com port 80

May 4 04:23:35 pub http-gw[28660]: exit host=nodnsquery/162.69.5.7 cmds=1

in=3003 out=0 user=u nauth duration=1

-----------------------------------------------

May 4 12:34:34 pub http-gw[28400]: deny host=nodnsquery/162.69.5.7 connect to

wwww.yahoo.com:80

May 4 12:34:34 pub http-gw[28400]: failed to connect to http server wwww.yahoo.com

(80) reason: hostname unknown

May 4 12:34:34 pub http-gw[28400]: exit host=nodnsquery/162.69.5.7 cmds=1 in=0

out=0 user=unauth duration=0

2. One Secure Socket Layer(SSL) HTTP connection:

May 4 15:17:53 pub http-gw[27010]: permit host=nodnsquery/162.69.5.7 use of ssl proxy

May 4 15:17:53 pub http-gw[27010]: permit host=nodnsquery/162.69.5.7

destination=psw.fidelity.com/4.18.81.143 port=443

May 4 15:17:53 pub http-gw[27010]: permit host=nodnsquery/162.69.5.7

destination=psw.fidelity.com port=443

May 4 15:17:53 pub http-gw[27010]: connecting to host psw.fidelity.com port 443

May 4 15:17:53 pub http-gw[27010]: connection to host psw.fidelity.com successful

May 4 15:17:55 pub http-gw[27010]: exit host=nodnsquery/162.69.5.7 cmds=1 in=5575

out=558 user=unauth duration=2

3. Other type of connections (very rare 0.2%)

May 4 15:31:03 pub ftp-gw[16824]: authenticate user=cdattilo

May 4 15:31:04 pub ftp-gw[16824]: permit host=nodnsquery/162.69.4.146 connect

to ftpprod.intdata.com

May 4 15:31:42 pub ftp-gw[16824]: exit host=nodnsquery/162.69.4.146 cmds=10

in=879544 out=0 user=cdattilo duration=40

------------------------------------------------

May 4 15:28:57 pub smap[13298]: Force an ip --> name lookup

May 4 15:28:57 pub smap[13298]: connect host=unknown/162.69.4.142

May 4 15:28:57 pub smap[13298]: relay logging is ON

May 4 15:28:57 pub smap[13298]: nuisance logging is ON

May 4 15:28:57 pub smap[13298]: DoSrc'spam'Chk: don't perform domain matching

May 4 15:28:57 pub smap[13298]: connection OK unknown/162.69.4.142 passed

nuisance check

-------------------------------------------------

May 4 15:37:27 pub smapd[26892]: message-id Message-ID:

<E09E0881FDA1D31190D900508B7141A101BD80@BAMBINO>

May 4 15:37:27 pub smapd[26891]: message-id Message-ID:

<852568D5.0069D318.00@SIAC_NOTES_001.wisdom.siac.com>

May 4 15:37:27 pub smapd[26891]: delivered file=sma025489 pid=26896 code=0

May 4 15:37:27 pub smapd[26892]: delivered file=sma026854 pid=26893 code=0

-------------------------------------------------

May 4 16:53:04 162.69.78.75 UDP Scan by ISS (514)

May 4 16:53:11 162.69.78.75 UDP Scan by ISS (5)

May 4 16:53:16 162.69.78.75 UDP Scan by ISS (5)

-------------------------------------------------

May 4 08:08:41 pub tn-gw[21986]: authenticate user=sviverit

May 4 08:08:47 pub tn-gw[21986]: permit host=nodnsquery/162.69.5.54

destination=127.0.0.1 port=23

May 4 08:08:49 pub tn-gw[21986]: connected host=nodnsquery/162.69.5.54

destination=localhost port=23

May 4 08:09:27 pub tn-gw[21986]: exit host=nodnsquery/162.69.5.54

dest=localhost in=16305 out=106 user=sviverit duration=50

-------------------------------------------------

May 4 15:37:27 pub sendmail[26896]: PAA26896: from=<owner-linux-390@VM.MARIST.EDU>,

size=2159, class=0, pri=32159, nrcpts=1,

msgid=<852568D5.0069D318.00@SIAC_NOTES_001.wisdom.siac.com>,

relay=uucp@localhost

-------------------------------------------------

May 4 16:41:34 pub netacl-ssh[10877]: deny host=nodnsquery/162.69.78.75

service=netacl-ssh

May 4 16:41:35 pub ssl-gw[10881]: deny host=nodnsquery/162.69.78.75 service=443

May 4 16:45:31 pub cyber[362]: Cyberdaemon CYBER_BLOCKED some dir at this

IP listen.to

May 4 16:47:28 pub last message repeated 7 times

May 4 16:49:24 pub pcxdpp[548]: DEBUG: no opcode