TY - JOUR
T1 - Context-based irregular activity detection in event logs for forensic investigations
T2 - An itemset mining approach
AU - Khan, Saad
AU - Parkinson, Simon
AU - Murphy, Craig
N1 - Funding Information:
The authors would like to express their gratitude for the financial support from The UK’s Defence Science and Technology Laboratory (Dstl) provided through the UK’s Defence and Security Accelerator (DASA) and Managed by Frazer-Nash Consultancy ( DSTL0000003894 ).
Publisher Copyright:
© 2023 The Author(s)
PY - 2023/12/15
Y1 - 2023/12/15
N2 - Event logs are a powerful source of digital evidence as they contain detailed information about activities performed on a computer. Forensic investigation of the event logs is a challenging and time-consuming task due to their large volume and continuous generation. A significant amount of time, effort, and knowledge is required to interpret their contents, discovering irregular events that are potentially pertinent to the investigation. As the number of digital investigations increases, so too must resources available to investigators. This requires new techniques to make the process easier and faster, reducing the burden on human investigators as well as being resource efficient. In this paper, a novel solution is presented to examine event logs and automatically identify irregular activities during forensic analysis. The proposed solution utilises a rare itemset mining approach to establish relationships among event entries, based on their contents. Following on, identified event relationships are ordered based on their temporal order to represent the timeline or sequence of activity. The solution is also capable of prioritising identified activities by calculating their degree of irregularity. The empirical analysis is performed on 15 live machines, and the results are discussed in terms of accuracy and performance metrics.
AB - Event logs are a powerful source of digital evidence as they contain detailed information about activities performed on a computer. Forensic investigation of the event logs is a challenging and time-consuming task due to their large volume and continuous generation. A significant amount of time, effort, and knowledge is required to interpret their contents, discovering irregular events that are potentially pertinent to the investigation. As the number of digital investigations increases, so too must resources available to investigators. This requires new techniques to make the process easier and faster, reducing the burden on human investigators as well as being resource efficient. In this paper, a novel solution is presented to examine event logs and automatically identify irregular activities during forensic analysis. The proposed solution utilises a rare itemset mining approach to establish relationships among event entries, based on their contents. Following on, identified event relationships are ordered based on their temporal order to represent the timeline or sequence of activity. The solution is also capable of prioritising identified activities by calculating their degree of irregularity. The empirical analysis is performed on 15 live machines, and the results are discussed in terms of accuracy and performance metrics.
KW - Event Logs
KW - Forensic investigation
KW - Irregular activities
KW - Rare itemset mining
UR - http://www.scopus.com/inward/record.url?scp=85165542756&partnerID=8YFLogxK
U2 - 10.1016/j.eswa.2023.120991
DO - 10.1016/j.eswa.2023.120991
M3 - Article
VL - 233
JO - Expert Systems with Applications
JF - Expert Systems with Applications
SN - 0957-4174
M1 - 120991
ER -