A method to automatically filter log evidences for intrusion forensics

Jian Zhang, Xiao Fu, Xiaojiang Du, Bin Luo, Zhihong Zhao

Research output: Contribution to conferencePaperpeer-review

Abstract

An important data source for intrusion forensics is various types of logs from the systems and networks being investigated. However, there are still many problems when using these logs for forensic analysis. Firstly, with the development of computers and Internet, intrusion behaviors involve more types and more quantities of logs, and these massive and complex log evidences make forensics analyst overwhelmed. Secondly, among the large number of logs that investigators need to analyze, the data related to criminal behaviors only accounts for a very small proportion and most of the rest data are useless records resulted from normal behaviors. Large amount of forensic data and high proportion of useless records make it very difficult to investigate and collect evidences. In addition, this makes criminal behaviors that submerged in a large amount of useless records easily overlooked. This paper introduces a new method for the reduction of candidate log evidences for intrusion forensics. Its main idea is to extract the key attribute fields as features of log records and assign a score to each log record. This score is used to indicate the degree of redundancy of the record. The greater the score is, the more likely the records are redundant. Our experiments based on Darpa2000 and Snort real-world data show that this method can significantly reduce the interference caused by useless data for forensic analysis: it removes 57% and 82% useless data in Darpa2000 and the Snort real-world data, respectively.

Original languageEnglish
Pages39-44
Number of pages6
DOIs
StatePublished - 2013
Event33rd IEEE International Conference on Distributed Computing Systems Workshops, ICDCSW 2013 - Philadelphia, PA, United States
Duration: 8 Jul 201311 Jul 2013

Conference

Conference33rd IEEE International Conference on Distributed Computing Systems Workshops, ICDCSW 2013
Country/TerritoryUnited States
CityPhiladelphia, PA
Period8/07/1311/07/13

Keywords

  • Darpa2000
  • Snort real-world data
  • intrusion forensics
  • log evidences

Fingerprint

Dive into the research topics of 'A method to automatically filter log evidences for intrusion forensics'. Together they form a unique fingerprint.

Cite this