A Novel Authentication And Validation Mechanism For Analyzing Syslogs Forensically

Monteiro, Steena D.S.

01 December 2008

This research proposes a novel technique for authenticating and validating syslogs for forensic analysis. This technique uses a modification of the Needham Schroeder protocol, which uses nonces (numbers used only once) and public keys. Syslogs, which were developed from an event-logging perspective and not from an evidence-sustaining one, are system treasure maps that chart out and pinpoint attacks and attack attempts. Over the past few years, research on securing syslogs has yielded enhanced syslog protocols that focus on tamper prevention and detection. However, many of these protocols, though efficient from a security perspective, are inadequate when forensics comes into play. From a legal perspective, any kind of evidence found at a crime scene needs to be validated. In addition, any digital forensic evidence when presented in court needs to be admissible, authentic, believable, and reliable. Currently, a patchy log on the server side and client side cannot be considered as formal authentication of a wrongdoer. This work presents a method that ties together, authenticates, and validates all the entities involved in the crime scene--the user using the application, the system that is being used, and the application being used on the system by the user. This means that instead of merely transmitting the header and the message, which is the standard syslog protocol format, the syslog entry along with the user fingerprint, application fingerprint, and system fingerprint are transmitted to the logging server. The assignment of digital fingerprints and the addition of a challenge response mechanism to the underlying syslogging mechanism aim to validate generated syslogs forensically.

Authentication and validation

foresic validity

model

system log files

Computer Sciences

Event Sequence Identification and Deep Learning Classification for Anomaly Detection and Predication on High-Performance Computing Systems

Li, Zongze

12 1900

High-performance computing (HPC) systems continue growing in both scale and complexity. These large-scale, heterogeneous systems generate tens of millions of log messages every day. Effective log analysis for understanding system behaviors and identifying system anomalies and failures is highly challenging. Existing log analysis approaches use line-by-line message processing. They are not effective for discovering subtle behavior patterns and their transitions, and thus may overlook some critical anomalies. In this dissertation research, I propose a system log event block detection (SLEBD) method which can extract the log messages that belong to a component or system event into an event block (EB) accurately and automatically. At the event level, we can discover new event patterns, the evolution of system behavior, and the interaction among different system components. To find critical event sequences, existing sequence mining methods are mostly based on the a priori algorithm which is compute-intensive and runs for a long time. I develop a novel, topology-aware sequence mining (TSM) algorithm which is efficient to generate sequence patterns from the extracted event block lists. I also train a long short-term memory (LSTM) model to cluster sequences before specific events. With the generated sequence pattern and trained LSTM model, we can predict whether an event is going to occur normally or not. To accelerate such predictions, I propose a design flow by which we can convert recurrent neural network (RNN) designs into register-transfer level (RTL) implementations which are deployed on FPGAs. Due to its high parallelism and low power, FPGA achieves a greater speedup and better energy efficiency compared to CPU and GPU according to our experimental results.

HPC

System log

Anomaly Detection

Sequence Mining

Deep Learning

RNN

FPGA

Assessing Anonymized System Logs Usefulness for Behavioral Analysis in RNN Models

Vagis, Tom Richard, Ghiasvand, Siavash

06 August 2024

Assessing Anonymized System Logs Usefulness for Behavioral Analysis in RNN Models Tom Richard Vargis1,∗, Siavash Ghiasvand1,2 1Technische Universität Dresden, Germany 2Center for Scalable Data Analytics and Artificial Intelligence (ScaDS.AI) Dresden/Leipzig, Germany Abstract System logs are a common source of monitoring data for analyzing computing systems behavior. Due to the complexity of modern computing systems and the large size of collected monitoring data, automated analysis mechanisms are required. Numerous machine learning and deep learning methods are proposed to address this challenge. However, due to the existence of sensitive data in system logs their analysis and storage raise serious privacy concerns. Anonymization methods could be used to cleanse the monitoring data before analysis. However, anonymized system logs in general do not provide an adequate usefulness for majority of behavioral analysis. Content-aware anonymization mechanisms such as 𝑃𝛼𝑅𝑆 preserve the correlation of system logs even after anonymization. This work evaluates the usefulness of anonymized system logs of Taurus HPC cluster anonymized using 𝑃𝛼𝑅𝑆, for behavioural analysis via recurrent neural network models. To facilitate the reproducibility and further development of this work, the implemented prototype and monitoring data are publicly available [12].

info:eu-repo/classification/ddc/005

ddc:005

Analýza systémových záznamů / System Log Analysis

Ščotka, Jan

January 2008

The goal of this master thesis is to make possible to perform system log analysis in more general way than well-known host-based instrusion detection systems (HIDS). The way how to achieve this goal is via proposed user-friendly regular expressions. This thesis deals with making regular expressions possible to use in the field of log analysis, and mainly by users unfamiliar with formal aspects of computer science.

Användning av artificiella neurala nätverk (ANNs) för att upptäcka cyberattacker: En systematisk litteraturgenomgång av hur ANN kan användas för att identifiera cyberattacker

Wongkam, Nathalie, Shameel, Ahmed Abdulkareem Shameel

January 2023

Denna studie undersöker användningen av maskininlärning (ML), särskilt artificiella neurala nätverk (ANN), inom nätverksdetektering för att upptäcka och förebygga cyberattacker. Genom en systematisk litteraturgenomgång sammanställs och analyseras relevant forskning för att erbjuda insikter och vägledning för framtida studier. Forskningsfrågorna utforskar tillämpningen av maskininlärningsalgoritmer för att effektivt identifiera och förhindra nätverksattacker samt de utmaningar som uppstår vid användningen av ANN. Metoden innefattar en strukturerad sökning, urval och granskning av vetenskapliga artiklar. Resultaten visar att maskininlärningsalgoritmer kan effektivt användas för att bekämpa cyberattacker. Dock framkommer utmaningar kopplade till ANNs känslighet för störningar i nätverkstrafiken och det ökade behovet av stor datamängd och beräkningskraft. Studien ger vägledning för utveckling av tillförlitliga och kostnadseffektiva ANN-baserade lösningar inom nätverksdetektering. Genom att sammanställa och analysera befintlig forskning ger studien en djupare förståelse för tillämpningen av ML-algoritmer, särskilt ANN, inom cybersäkerhet. Detta bidrar till kunskapsutveckling och tillför en grund för framtida forskning inom området. Studiens betydelse ligger i att främja utvecklingen av effektiva lösningar för att upptäcka och förebygga nätverksattacker. / This research study investigates the application of machine learning (ML), specifically artificial neural networks (ANN), in network intrusion detection to identify and prevent cyber-attacks. The study employs a systematic literature review to compile and analyse relevant research, aiming to offer insights and guidance for future studies. The research questions explore the effectiveness of machine learning algorithms in detecting and mitigating network attacks, as well as the challenges associated with using ANN. The methodology involves conducting a structured search, selection, and review of scientific articles. The findings demonstrate the effective utilization of machine learning algorithms, particularly ANN, in combating cyber-attacks. The study also highlights challenges related to ANN's sensitivity to network traffic disturbances and the increased requirements for substantial data and computational power. The study provides valuable guidance for developing reliable and cost-effective solutions based on ANN for network intrusion detection. By synthesizing and analysing existing research, the study contributes to a deeper understanding of the practical application of machine learning algorithms, specifically ANN, in the realm of cybersecurity. This contributes to knowledge development and provides a foundation for future research in the field. The significance of the study lies in promoting the development of effective solutions for detecting and preventing network attacks.

Machine learning

Artificial neural networks

Intrusion detection systems

Network traffic

System log

Maskininlärning

Artificiellt neurala nätverk

Intrångsdetekteringssystem

Nätverkstrafik

Systemloggar

Computer Sciences

Datavetenskap (datalogi)

Assistance system for an automated log-quality and assortment estimation based on data-driven approaches using hydraulic signals of forestry machines

Geiger, Chris, Maier, Niklas, Kalinke, Florian, Geimer, Marcus

26 June 2020

The correct classification of a logs assortment is crucial for the economic output within a fully mechanized timber harvest. This task is especially for unexperienced but also for professional machine operators mentally demanding. This paper presents a method towards an assistance system for machine operators for an automated log quality and assortment estimation. Therefore, machine vision methods for object detection are combined with machine learning approaches for estimating the logs weight based on a Convolutional Neural Network (CNN). Based on the dimensions oft he object ´log, a first categorisation into a specific assortment is done. By comparing the theoretical weight of a healthy log of such dimensions to the real weight estimated by the CNN-based crane scale, quality reducing properties such as beetle infestation or red rod can be detected. In such cases, the assistance system displays a visual warning to the operator to check the loaded log.

info:eu-repo/classification/ddc/620

ddc:620