Analysis of security data from a large computing organization

Procedia Computer Science, 2013

The admissible rate of criminal evidence against intruders has continued to generate classical arguments because the reports extracted from intrusion logs are often disputed in many courts of law. Besides, forensic experts still spend excessive resources to prepare reports for litigation before intruders can be charged. Thus, we propose Forenlog Analyzer to lessen the aforementioned problems. The pattern of attacks in an intrusion log is partitioned into sixty subgroups according to the values held in the timestamp of the evidence and the overall uncertainty of the pattern is subsequently computed. Evaluation illustrates that neither the internal attributes nor the external attributes of attacks are sufficient to litigate intruders in courts of laws in all cases. The results further demonstrate that forensic analysts should not just destroy, include or ignore supportive evidence on the basis of their sizes without determine their inherent uncertainty.

PeerJ Computer Science, 2015

Managed Security Services (MSS) have become an essential asset for companies to have in order to protect their infrastructure from hacking attempts such as unauthorized behaviour, denial of service (DoS), malware propagation, and anomalies. A proliferation of attacks has determined the need for installing more network probes and collecting more security-related events in order to assure the best coverage, necessary for generating incident responses. The increase in volume of data to analyse has created a demand for specific tools that automatically correlate events and gather them in pre-defined scenarios of attacks. Motivated by Above Security, a specialized company in the sector, and by National Research Council Canada (NRC), we propose a new data mining system that employs text mining techniques to dynamically relate security-related events in order to reduce analysis time, increase the quality of the reports, and automatically build correlated scenarios.

2003

An attempt at determining the source of anomalous network traffic may result in the identification of the networked system where it originated. From a forensic point of view it is almost impossible to positively identify the application or the user behind the application that generated the traffic. Many users may have been using the networked system and there remains the possibility of network traffic generation by Trojan horses. We propose a network-access log that bridges the gap between system event logs and network monitoring by extending event logging on individual hosts with information pertaining to generation of network traffic. The key contribution of the proposed network access audit log is the establishment of the chain of evidence linking the outgoing traffic to its source thereby improving the network security of an intranet.

Sixth International Scientific Conference ITEMA Recent Advances in Information Technology, Tourism, Economics, Management and Agriculture

Troubleshooting is the process of detecting, identifying and re­solving problems within a computer network by means of specific methods, tools and operations. Troubleshooting implies following a set of procedures or steps that conform to the security standards and policies of a company. Diagnosing the source of a problem can be done by tools for system moni­toring, recording log messages, manual testing of device configuration, as well as by tools for device operation analysis. The procedure for using log messages to resolve both common problems and those caused by attacks is explained in this paper. Furthermore, this paper describes the way securi­ty threat management systems use the contents of log messages to analyze hardware problems and malicious activities.

International Journal of Computer Applications , 2025

The growing complexity of cybersecurity and the limited availability of skilled professionals contribute to the vulnerability of systems. Security experts traditionally use event logs to evaluate system security, identify vulnerabilities, and uncover potential cyberattacks. Analyzing these logs can be challenging and lengthy, particularly for those without specialized expertise. To overcome this challenge, automated systems are crucial for assisting both security professionals and those without specialized knowledge in analyzing security events. This research presents a novel method for automating the process of extracting and utilizing knowledge from security event logs. A new framework is presented that combines Association Rule Mining and Causal Inference to identify patterns and causal relationships within event log data. By leveraging machine learning techniques, the system automatically extracts critical security information and translates it into actionable recommendations for non-expert users, eliminating the need for continuous human intervention. The framework was experimentally validated in a university network environment at the University of Education, Winneba (UEW), where it demonstrated 92% accuracy in event correlation, 95% accuracy in causal inference, and 85% usability for non-expert users. This proposed system provides a cost-effective and scalable solution for enhancing security across various environments, including small and large-scale ones. The proposed system significantly reduces the time and cost associated with manual log analysis, offering a scalable solution that can enhance security across small and large-scale environments. The findings highlight the potential of this method to improve system security while reducing reliance on specialized expertise, making it highly applicable in commercial contexts.

2015

As more and more Internet-based attacks arise, organizations are responding by deploying an assortment of security products that generate situational intelligence in the form of logs. These logs often contain high volumes of interesting and useful information about activities in the network, and are among the first data sources that information security specialists consult when they suspect that an attack has taken place. However, security products often come from a patchwork of vendors, and are inconsistently installed and administered. They generate logs whose formats differ widely and that are often incomplete, mutually contradictory, and very large in volume. Hence, although this collected information is useful, it is often dirty.

The intensification of Information and Communications Technology usage in all facets of life exceedingly amplify the incidents of information security policy breaches, cyber crimes, fraud, commercial crimes, cyber laundering etc, hence require a well developed approach to tackle these incidents in order to realize legally defensible digital evidence. Since electronic evidence is fragile and can easily be modified, finding this data, collecting, preserving, and presenting it properly in a court of law is the real challenge. There is a need for use of semantic analysis to discover underlying security policy requirements and internal power structures and institutionalization of anti cyber attack, antimoney- laundering and regulatory schemes. The first responders to cyber security incidents often than always are an organization ICT personnel who are technically sound though may be deficient in investigative skill. The scientific standards of cyber forensics dictates the procedure as it promotes objectivity, a precise and well documented analysis, particularly that the findings maybe used as evidence against the attacker. This paper aims to contribute to the advancement of the cyber forensics discipline with a view to assist the International community in combating this sophisticated, high-tech, dynamic ever changing phenomenon.

2004

This paper examines principles and approaches for proactive computer-system forensics. Proactive computersystem forensics is the design, construction and configuring of systems to make them most amenable to digital forensics analyses in the future. The primary goals of proactive computer-system forensics are system structuring and augmentation for automated data discovery, lead formation, and efficient data preservation. This paper proposes:

Journal of telecommunications and information technology, 2015

The article proposes a log analysis approach to detection of security violations, based on a four layer design. First layer, named the event source layer, describes sources of information that can be used for misuse investigation. Transport layer represents the method of collecting event data, preserving it in the form of logs and passing it to another layer, called the analysis layer. This third layer is responsible for analyzing the logs' content, picking relevant information and generating security alerts. Last layer, called normalization layer, is custom software which normalizes and correlates produced alerts to raise notice on more complex attacks. Logs from remote hosts are collected by using rsyslog software and OSSEC HIDS with custom decoders and rules is used on a central log server for log analysis. A novel method of handling OSSEC HIDS alerts by their normalization and correlation is proposed. The output can be optionally suppressed to protect the system against alarm flood and reduce the count of messages transmitted in the network.