Efficiency of network event logs as admissible digital evidence

Author

Al-Mahrouqi, Aadil ; Abdalla, Sameh ; Kechadi, Tahar

Author_Institution

Sch. of Comput. Sci. & Inf., Univ. Coll. Dublin, Dublin, Ireland

fYear

2015

fDate

28-30 July 2015

Firstpage

1257

Lastpage

1265

Abstract

The large number of event logs generated in a typical network is increasingly becoming an obstacle for forensic investigators to analyze and use to detect and verify malicious activities. Research in the area of network forensic is trying to address the challenge of using network logs to reconstruct attack scenarios by proposing event correlation models. In this paper we introduce a new network forensics model that makes network event-logs admissible in the court of law. Our model collects available logs from connected network devices, applies decision tree algorithm in order to filter anomaly intrusion, then re-route the logs to a central repository where event-logs management functions are applied.

Keywords

computer network security; decision trees; digital forensics; admissible digital evidence; anomaly intrusion; decision tree algorithm; event correlation models; event-logs management functions; malicious activity detection; network event logs; network forensics model; Computer crime; Computer science; Computers; Data mining; Forensics; Reliability; Authentication of Evidence; Best Evidence; Evidence Reliability; Network Evidence Admissibility; SVMs;

fLanguage

English

Publisher

ieee

Conference_Titel

Science and Information Conference (SAI), 2015

Conference_Location

London

Type

conf

DOI

10.1109/SAI.2015.7237305

Filename

7237305