Graph clustering and anomaly detection of access control log for forensic purposes |
| |
Institution: | 1. School of Engineering and Information Technology, Murdoch University, Australia;2. Department of Informatics, Institut Teknologi Sepuluh Nopember, Indonesia;1. Los Alamos National Laboratory, Los Alamos, NM, USA;2. New Mexico Institute of Mining and Technology, Socorro, NM, USA;1. Australian Centre for Cyber Security, University of New South Wales, ACT, Australia;2. Automated Analytics and Decision Support, Cyber and Electronic Warfare Division, Defence Science and Technology Organisation, West Avenue, Edinburgh, South Australia, 5111, Australia;1. CheckSem Team, Laboratoire Le2i, UMR CNRS 6306, Faculté des Sciences Mirande, Université de Bourgogne, BP47870, 21078 Dijon, France;2. School of Computer Science & Informatics, University College Dublin, Belfield, Dublin 4, Ireland |
| |
Abstract: | Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset. |
| |
Keywords: | Authentication log Improved MajorClust Event log forensics Anomaly detection |
本文献已被 ScienceDirect 等数据库收录! |
|