Title :
Log Analyzer for Network Forensics and Incident Reporting
Author :
Nehinbe, Joshua Ojo
Author_Institution :
Univ. of Essex, Colchester, UK
Abstract :
Network intrusion detection systems are used in network forensics and network auditing to log suspicious activities that potentially signify security violations on the networks as alerts. However, the efficacies of intrusion aggregations to succinctly process audit logs that are gaining wider acceptability in computer security are flawed because the methods frequently require high level of expertise to validate each alert and the methods only focus on interesting events. Thus, deceptive attacks that are intentionally launched to be uninteresting events frequently elude detections. Consequently, aggregated alerts are not seriously considered for litigation and incident handling exercises. Therefore, this paper presents extensive investigations of these problems. We deployed Snort to sniff offline datasets in intrusion detection mode and we clustered the alerts of each dataset with several filtering criteria. Furthermore, the results obtained have established how to detect various kinds of interesting and uninteresting attacks that frequently elude detections.
Keywords :
computer forensics; computer network security; pattern clustering; Snort; alert clustering; deceptive attacks; filtering criteria; incident handling exercise; incident reporting; litigation exercise; log analyzer; network auditing; network forensics; network intrusion detection system; security violation; Analytical models; Computer networks; Computer security; Detectors; Event detection; Filtering; Forensics; Intelligent networks; Intelligent systems; Intrusion detection; Alerts; aggregation; interesting alerts; uninteresting alerts;
Conference_Titel :
Intelligent Systems, Modelling and Simulation (ISMS), 2010 International Conference on
Conference_Location :
Liverpool
Print_ISBN :
978-1-4244-5984-1
DOI :
10.1109/ISMS.2010.71
