Graph clustering and anomaly detection of access control log for forensic purposes

H. Studiawan; C. Payne; F. Sohel

doi:10.1016/j.diin.2017.05.001

Back

Graph clustering and anomaly detection of access control log for forensic purposes

Journal article

Open access

Peer reviewed

Graph clustering and anomaly detection of access control log for forensic purposes

H. Studiawan, C. Payne and F. Sohel

Digital Investigation, Vol.21, pp.76-87

03/05/2017

DOI: https://doi.org/10.1016/j.diin.2017.05.001

Files and links (2)

pdf

graph clustering.pdfDownload View

Author’s Version Open Access

url

Link to Published Version *Subscription may be requiredView

Abstract

Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset.

Details

Title: Graph clustering and anomaly detection of access control log for forensic purposes
Authors/Creators: H. Studiawan (Author/Creator) - Murdoch University
C. Payne (Author/Creator) - Murdoch University
F. Sohel (Author/Creator) - Murdoch University
Publication Details: Digital Investigation, Vol.21, pp.76-87
Publisher: Elsevier Ltd
Identifiers: 991005544840907891
Murdoch Affiliation: School of Engineering and Information Technology
Language: English
Resource Type: Journal article

Metrics

280 File views/ downloads

133 Record Views

17 Times Cited - Web of Science

InCites Highlights

These are selected metrics from InCites Benchmarking & Analytics tool, related to this output

Citation topics: 4 Electrical Engineering, Electronics & Computer Science; 4.47 Software Engineering; 4.47.2804 Microservices Diagnostics
Web Of Science research areas: Computer Science, Information Systems; Computer Science, Interdisciplinary Applications
ESI research areas: Computer Science