automatic event log abstraction to support forensic
play

Automatic Event Log Abstraction to Support Forensic Investigation - PowerPoint PPT Presentation

Oct 14, 2022 •113 likes •341 views

Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel, Christian Payne College of Science, Health, Engineering and Education Murdoch University, Perth, Australia The Australasian Information Security

  1. Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel, Christian Payne College of Science, Health, Engineering and Education Murdoch University, Perth, Australia The Australasian Information Security Conference (AISC 2020) Swinburne University of Technology, Melbourne, Victoria, Australia

  2. CORE Student Travel Award We acknowledge that we have received a CORE Student Travel Award. 2

  3. Outline • Introduction • Existing Methods • The Proposed Method • Event Log Preprocessing • Grouping based on Word Count • Graph Model for Log Messages • Grouping with Automatic Graph Clustering • Extraction of Event Log Abstraction • Experimental Results • Conclusion and Future Work 3

  4. Introduction • Abstraction of event logs is the creation of a template that contains the most common words representing all members in a group of event log entries • Abstraction helps the forensic investigators to obtain an overall view of the main events in a log file I n p u t l o g fj l e : a u t h . l o g O u t p u t a b s t r a c t i o n s : # 1 M a r * * n s s a l * r e m o v i n g r e m o v a b l e l o c a t i o n : * # 2 M a r 8 * n s s a l * I n v a l i d u s e r * f r o m * # 3 M a r 8 * n s s a l * F a i l e d p a s s w o r d f o r * f r o m * p o r t * s s h 2 … 4

  5. Existing Methods Existing log abstraction methods require user input parameters. It is time consuming due to the need to identify the best parameters. • SLCT (Vaarandi, 2003): one mandatory parameter and 14 optionals • LogCluster (Vaarandi and Pihelgas, 2015): one mandatory parameter 26 optionals • IPLoM (Makanju et al., 2012): five mandatory parameters • LogSig (Tang et al., 2011): one mandatory parameter • Drain (He et al., 2017): three mandatory parameters • Model training (Thaler et al., 2017) 5

  6. The Proposed Method R a w e v e n t l o g s A u t o m a t i c l o g p r e p r o c e s s i n g G r o u p i n g b a s e d o n w o r d c o u n t R e fj n e g r o u p i n g w i t h a u t o m a t i c g r a p h c l u s t e r i n g G e t t h e e v e n t l o g a b s t r a c t i o n p e r c l u s t e r 6

  7. Event Log Preprocessing • We parse the log files using the nerlogparser, a log parsing tool based on named entity recognition • It supports fully automatic parsing because it provides a pre-trained model • We then extract unique messages from the log entries I n p u t : J a n 1 8 0 9 : 3 1 : 3 2 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 2 P r o c e s s : a u t o m a t i c p a r s i n g w i t h t h e n e r l o g p a r s e r t o o l O u t p u t : t i m e s t a m p : J a n 1 8 0 9 : 3 1 : 3 2 h o s t n a m e : v i c t o r i a s e r v i c e : d h c l i e n t m e s s a g e : D H C P A C K f r o m 1 0 . 0 . 2 . 2 7

  8. Grouping based on Word Count • We split the discovered unique messages based on space character then count the word length • An abstraction is extracted from the always-occurring word in a group of log entries having the same length C l u s t e r # 1 : J a n 1 8 0 9 : 3 1 : 3 2 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 2 J a n 1 8 1 0 : 5 6 : 4 0 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 2 F e b 6 1 3 : 3 1 : 1 2 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 5 A b s t r a c t i o n # 1 : * * * v i c t o r i a d h c l i e n t : D H C P A C K f r o m * C l u s t e r # 2 : F e b 6 1 2 : 5 6 : 4 8 v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : 0 J a n 1 8 1 7 : 1 3 : 4 9 v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : 6 F e b 6 1 3 : 0 3 : 5 3 v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : 6 A b s t r a c t i o n # 2 : * * * v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : * 8

  9. Graph Model for Log Messages The log entries have very diverse vocabularies, so we need to refine discovered groups based on the string similarity • We use an automatic graph-based clustering • Vertex: a unique message, edge: the weighted Hamming similarity S e n d i n g o n S o c k e t / f a l l b a c k D H C P A C K f r o m 1 0 . 0 . 2 . 2 0 . 8 3 0 . 8 3 D H C P A C K f r o m 1 0 . 0 . 2 . 5 0 . 8 3 D H C P A C K f r o m 1 9 2 . 1 6 8 . 5 6 . 1 0 0 9

  10. Grouping with Automatic Graph Clustering 10

  11. Building Micro-clusters 11

  12. Extraction of Abstraction: Merging Abstractions • We extract an abstraction from each micro-cluster • Merging is needed because an abstraction from each micro-cluster has a possibility to be very similar with others • We find pair combinations ( A i , A j ) from all abstractions to be compared. • Two abstractions A i and A j will continue to be checked for merging if there is a weighted Hamming similarity between them. 12

  13. Example of Merging Abstractions E x a m p l e 1 : A b s t r a c t i o n # 1 : I n v a l i d u s e r * f r o m * A b s t r a c t i o n # 2 : I n v a l i d u s e r a d m i n f r o m * E x a m p l e 2 : A b s t r a c t i o n # 1 : I n v a l i d u s e r * f r o m 2 0 0 . 2 7 . 1 4 8 . 4 5 A b s t r a c t i o n # 2 : I n v a l i d u s e r * f r o m * 13

  14. Extraction of Abstraction: Final Abstractions • In all previous steps, we consider only the message field in a log entry. • In the final step, we consider all other fields such as timestamp, host name, and service name. C l u s t e r # 1 : J a n 1 8 0 9 : 3 1 : 3 2 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 2 J a n 1 8 1 0 : 5 6 : 4 0 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 2 F e b 6 1 3 : 3 1 : 1 2 v i c t o r i a d h c l i e n t : D H C P A C K f r o m 1 0 . 0 . 2 . 5 A b s t r a c t i o n # 1 : * * * v i c t o r i a d h c l i e n t : D H C P A C K f r o m * C l u s t e r # 2 : F e b 6 1 2 : 5 6 : 4 8 v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : 0 J a n 1 8 1 7 : 1 3 : 4 9 v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : 6 F e b 6 1 3 : 0 3 : 5 3 v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : 6 A b s t r a c t i o n # 2 : * * * v i c t o r i a i n i t : S w i t c h i n g t o r u n l e v e l : * 14

  15. Experimental Results: Datasets • For all datasets except DFRWS 2016, we recovered the directory /var/log/ from the forensic disk images • We retrieved some common log files such as authentication logs, kernel logs, and system logs 15

  16. Parameter Settings 16

  17. Comparison of Performance • IPLoM shows a good performance because the bijective relationship in a group of log entries can accurately capture the most frequently occurring words • LogSig’ clustering is performed based on a local search algorithm and can lead to local optima. Therefore, it cannot cluster log messages precisely 17

  18. Comparison of Performance • Drain performs well because it considers the first few words in a log entry as contributing most significantly to its abstraction. These words are used to construct a fixed-depth tree. • LogMine performs over-clustering for all datasets because the clustering process is conducted incrementally. If a log entry similarity with an existing cluster representation is less than the given threshold, it will be grouped with that particular cluster. • Spell employs the longest common subsequence (LCS) technique to obtain the abstractions. LCS cannot capture any potential abstraction that has separate substrings. 18

  19. Over-clustering vs Under-clustering • The most important procedure in discovering event log abstractions is the clustering step • If the clustering is performed well, then good abstractions will be produced • We need to get the best cluster composition from event logs 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao,

Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao,

Forensic and I nvestigative Speaker Recognition: Situation BKA Odyssey 2016 June 21-24, Bilbao, Spain Michael Jessen BKA, Forensic Science Institute: Forensic Speech & Audio Department Guidelines Forensic Semiautomatic and Automatic

308 views • 13 slides
Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald

Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald

Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald Sndergaard Portcullis Computer Security University of Melbourne Andy King and Harald Sndergaard Automatic Abstraction for Congruences Structure of

516 views • 12 slides
Automatic Predicate Abstraction of C Programs Presented by Xuankang Lin Outline Main

Automatic Predicate Abstraction of C Programs Presented by Xuankang Lin Outline Main

Automatic Predicate Abstraction of C Programs Presented by Xuankang Lin Outline Main contribution Introduction to C2BP Challenges of Predicate Abstraction in C Conclusion Main Contribution Model checkers typically operate on

428 views • 24 slides
Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei

Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei

Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei Marian Dan 1 , Yuri Meshman 2 , Torsten Hoefler 1 , Martin Vechev 1 1 Department of Computer Science, ETH Zurich, Switzerland 2 IMDEA Software Institute,

761 views • 61 slides
alcohol support groups for forensic inpatient and discharged service users Project lead: Dr

alcohol support groups for forensic inpatient and discharged service users Project lead: Dr

Improving attendance at drug and alcohol support groups for forensic inpatient and discharged service users Project lead: Dr Nikki Wood, Principal Clinical Psychologist and Head of Forensic Substance Use Support Service Project team: SUSS

247 views • 7 slides
Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak

Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak

Context A Forensic Event Ontology Assisting Video Surveillance-based Vandalism Detection Conclusions Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak Sobhani 1 Umberto Straccia 2 1Queen Mary

222 views • 19 slides
The complementarity of automatic, semi-automatic and phonetic measures of vocal tract output

The complementarity of automatic, semi-automatic and phonetic measures of vocal tract output

The complementarity of automatic, semi-automatic and phonetic measures of vocal tract output Vincent Hughes, Philip Harrison, Paul Foulkes, Peter French, Colleen Kavanagh & Eugenia San Segundo IAFPA 9-12 July 2017 1. Forensic voice

481 views • 20 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
High Resolution MS in Forensic Toxicology Screening Osama Abu-Nimreh CMD Sales Support Specialist

High Resolution MS in Forensic Toxicology Screening Osama Abu-Nimreh CMD Sales Support Specialist

High Resolution MS in Forensic Toxicology Screening Osama Abu-Nimreh CMD Sales Support Specialist MECEC , Dubai The world leader in serving science Screening Approaches in LC/MSMS Screening applications are commonly used in forensic and

752 views • 39 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Decla larative Process Min ining: Reducing Dis iscovered Models Complexity by Pre-Processing

Decla larative Process Min ining: Reducing Dis iscovered Models Complexity by Pre-Processing

Decla larative Process Min ining: Reducing Dis iscovered Models Complexity by Pre-Processing Event Logs Pedro H. Piccoli Richetti , Fernanda Araujo Baio, Flvia Maria Santoro Department of Applied Informatics UNIRIO - Federal University of

514 views • 37 slides
MANAGEMENT SYSTEM NC Governors Highway Safety Program 750 North Greenfield Parkway Garner, NC

MANAGEMENT SYSTEM NC Governors Highway Safety Program 750 North Greenfield Parkway Garner, NC

How To Guide WEB-BASED GRANTS MANAGEMENT SYSTEM NC Governors Highway Safety Program 750 North Greenfield Parkway Garner, NC 27529 919.814.3658 smdeans@ncdot.gov NC DOT/ Governors Highway Safety Program Grants Management System GHSP

385 views • 12 slides
Event Log Chris Bay @chrisbay on GitHub Description Event Log is a web application that allows

Event Log Chris Bay @chrisbay on GitHub Description Event Log is a web application that allows

Event Log Chris Bay @chrisbay on GitHub Description Event Log is a web application that allows an organization to keep track of event details, including volunteer tracking. Features Custom authentication Create and edit events

330 views • 14 slides
Event Logging System for Collaborative Communities Divyansh Sharma Kartik Verma Rahul Raj

Event Logging System for Collaborative Communities Divyansh Sharma Kartik Verma Rahul Raj

Event Logging System for Collaborative Communities Divyansh Sharma Kartik Verma Rahul Raj Vishrut Jetly July 4, 2018 Divyansh, Kartik, Rahul, Vishrut Event Logging System July 4, 2018 1 / 20 Outline Storing Logs in Elasticsearch 6

331 views • 20 slides
A tool for specifying and validating software liability VERIMAG, Grenoble, France - Eduardo

A tool for specifying and validating software liability VERIMAG, Grenoble, France - Eduardo

A tool for specifying and validating software liability VERIMAG, Grenoble, France - Eduardo Mazza - Marie-Laure Potet Outline Context Approach Study Case Specifications Entities Logs Properties Responsibility

364 views • 20 slides
How Events Are Reshaping Modern Systems Jonas Bonr @jboner Why Should you care about Events?

How Events Are Reshaping Modern Systems Jonas Bonr @jboner Why Should you care about Events?

How Events Are Reshaping Modern Systems Jonas Bonr @jboner Why Should you care about Events? 1. Events drive autonomy 2. Events help reduce risk 3. Events help you move faster 4. Events Increase Loose coupling 5. Events increase stability 6.

1.03k views • 57 slides
REGIONAL TRANSMISSION ORGANIZATIONS / INDEPENDENT SYSTEM OPERATORS AND THE ENERGY IMBALANCE

REGIONAL TRANSMISSION ORGANIZATIONS / INDEPENDENT SYSTEM OPERATORS AND THE ENERGY IMBALANCE

REGIONAL TRANSMISSION ORGANIZATIONS / INDEPENDENT SYSTEM OPERATORS AND THE ENERGY IMBALANCE MARKET: AN OVERVIEW OF THE PICTURE IN THE WEST MEGAN OREILLY COALITION FOR CLEAN AFFORDABLE ENERGY EPE IRP STAKEHOLDER MEETING, LAS CRUCES

355 views • 16 slides
Nevadas Wholesale Energy Market Lauren Rosenblatt Director, Energy Market Policy July 11,

Nevadas Wholesale Energy Market Lauren Rosenblatt Director, Energy Market Policy July 11,

Nevadas Wholesale Energy Market Lauren Rosenblatt Director, Energy Market Policy July 11, 2017 Wholesale vs. Retail Market Wholesale energy markets are regulated at the national level by the Federal Energy Regulatory Commission;

323 views • 18 slides

More recommend