Forensic Intrusion Detection on System Logs
Computer forensics is often used to analyse an IT system after an intrusion in order to determine how the attacker gained access to a resource and what he did afterwards. Usually, it reveals that the attacker has run an exploit to take advantage of a vulnerability in order to cause unintended system behavior. Pinpointing the execution of an exploit, if any, for a given log file, is very valuable for computer forensics, as it speeds up the process of gathering evidence of an intrusion. It is also valuable for IDS construction, as it speeds up the process of building an attack signature. Such problem, we call forensic intrusion detection, is fairly complex, given both the overwhelming length of a standard log file and the difficulty of identifying exactly where the intrusion has occurred. We propose a novel approach for forensic intrusion detection. To classify system behavior, we use a method that combines a Hidden Markov Model (HMM) with K-means online. Our experimental results show an average detection rate of 85.21% and an average false positive rate of 13.88%.
Karen A. García Eduardo Aguirre Raúl Monroy Carlos Mex-Perera
Tecnológico de Monterrey,Campus Estado de México Carretera al Lago de Guadalupe Km. 3.5,Atizapán, Es Tecnológico de Monterrey,Campus Monterrey Av. Eugenio Garza Sada 2501 Sur,Monterrey, N.L., 64849, Me
国际会议
成都
英文
315-319
2010-12-17(万方平台首次上网日期,不代表论文的发表时间)