Graph clustering and anomaly detection of access control log for forensic purposes

Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset

Automatic log parser to support forensic analysis

Event log parsing is a process to split and label each field in a log entry. Existing approaches commonly use regular expressions or parsing rules to extract the fields. However, such techniques are time-consuming as a forensic investigator needs to define a new rule for each log file type. In this paper, we present a tool, namely nerlogparser, to parse the log entries automatically, where log parsing is modeled as a named entity recognition problem. We use a deep machine learning technique, specifically the bidirectional long short-term memory networks, as the underlying architecture for this purpose. Unlike existing tools, nerlogparser is a fully automatic tool as the investigators do not need to define any parsing rules and it is generic as there is only one model to parse various types of log files. Experimental results show that nerlogparser achieves superior performance compared with other traditional machine learning methods

Automatic log parser to support forensic analysis

Event log parsing is a process to split and label each field in a log entry. Existing approaches commonly use regular expressions or parsing rules to extract the fields. However, such techniques are time-consuming as a forensic investigator needs to define a new rule for each log file type. In this paper, we present a tool, namely nerlogparser, to parse the log entries automatically, where log parsing is modeled as a named entity recognition problem. We use a deep machine learning technique, specifically the bidirectional long short-term memory networks, as the underlying architecture for this purpose. Unlike existing tools, nerlogparser is a fully automatic tool as the investigators do not need to define any parsing rules and it is generic as there is only one model to parse various types of log files. Experimental results show that nerlogparser achieves superior performance compared with other traditional machine learning methods

Klasterisasi Graf untuk Log Autentikasi dengan Algoritma Molecular Complex Detection

Pelanggaran access control merupakan serangan yang utama beberapa tahun silam. Tipe dari klasterisasi pada ancaman keamanan seperti ini tersimpan dalam sebuah log autentikasi. Investigator forensik akan melakukan analisa pada log agar mengetahui ancaman yang mungkin terjadi. Analisa tersebut dapat dipermudah dengan mengklaster log tersebut. Namun, karena belum adanya visualisasi pada log yang telah diklaster membuat analisa log menjadi sulit dan membutuhkan waktu yang lama. Penulis menggunakan metode dengan membuat visualisasi dari data log yang telah terklasterisasi. Tahap pertama adalah melakukan preprocessing pada log. Lalu data preprocessing akan diklaster menggunakan algoritma Molecular Complex Detection (MCODE). Setelah terklaster, maka akan penulis akan memvisualisasikan hasil dari klaster tersebut. Pada tugas akhir ini, hasil yang didapat yaitu algoritma Molecular Complex Detection dapat digunakan sebagai metode untuk klasterisasi log autentikasi yang ada dan dapat memberikan hasil akurasi yang bagus. Adapun untuk visualisasi graf, aplikasi Gephi sudah mampu memberikan visualisasi yang jelas dalam melihat perbedaan log yang serangan dan log yang bukan serangan. Sehingga, dapat mempermudah analisis pada tahap selanjutnya. ============================================================================================= Access control violation is major attack these past years. The clustering of these type of violation is stored in the authentication log. Forensics investigators will analyze the log to understand the possible attack to the system. Therefore, because there is no visualization of the clustered log, analyzing process takes a long time. Author use a method that make a visualization from clustered log data. The first step is to preprocess the authentication log. Then the preprocessed data will clustered with Molecular Complex Detection (MCODE) algorithm. After the log is clustered, then author visualize the result of cluster. In this undergraduate thesis, the result obtained is Molecular Complex Detection algorithm can be used for clustering the authentication log given and have a good accuracy. As for graph visualization, Gephi can visualize authentication log clearly. So, Ghepi can show the differences between attack log and log that not an attack. So that the visualization can simplify the authentication log analyzing process