Identifying Irregularities in Security Event Logs through an Object-based Chi-squared Test of Independence

Simon Parkinson, Saad Khan

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

A novel technique for identifying irregular event log entries is presented in this paper along with the implementation in a Microsoft Windows-based environment. The motivation behind this research is to identify irregular activity in a system whilst minimising any requirement on expert knowledge, in addition to saving investigative time and computing resources. As the developed solution utilises the standard Microsoft format for event logs, it can work with both live systems, as well as events extracted and stored for off-site analysis. The solution consists of two major steps: first, convert the event logs into objects- based model and second, perform statistical analysis using the Chi-squared (χ2) test of independence and classify mean χ2 values into discrete categories using Jenks natural breaks method. The event logs entries, which failed the test of dependence are considered as irregular events. It is also shown that the proposed solution poses an advantage over primitive frequency analysis methods as it uses object relationships among event log entries to determine irregularities for locating anomalous activities. Empirical analysis of the solution is performed using event logs data from 20 machines and shows promising results by correctly identifying irregular events. Further experimental analysis involving the insertion of synthetic irregular events results in an average accuracy of 85%.
LanguageEnglish
Pages52-62
Number of pages11
JournalJournal of Information Security and Applications
Volume40
Early online date22 Mar 2018
DOIs
Publication statusPublished - Jun 2018

Fingerprint

Statistical methods

Cite this

@article{24414a307f044e8187598a5ab09b2343,
title = "Identifying Irregularities in Security Event Logs through an Object-based Chi-squared Test of Independence",
abstract = "A novel technique for identifying irregular event log entries is presented in this paper along with the implementation in a Microsoft Windows-based environment. The motivation behind this research is to identify irregular activity in a system whilst minimising any requirement on expert knowledge, in addition to saving investigative time and computing resources. As the developed solution utilises the standard Microsoft format for event logs, it can work with both live systems, as well as events extracted and stored for off-site analysis. The solution consists of two major steps: first, convert the event logs into objects- based model and second, perform statistical analysis using the Chi-squared (χ2) test of independence and classify mean χ2 values into discrete categories using Jenks natural breaks method. The event logs entries, which failed the test of dependence are considered as irregular events. It is also shown that the proposed solution poses an advantage over primitive frequency analysis methods as it uses object relationships among event log entries to determine irregularities for locating anomalous activities. Empirical analysis of the solution is performed using event logs data from 20 machines and shows promising results by correctly identifying irregular events. Further experimental analysis involving the insertion of synthetic irregular events results in an average accuracy of 85{\%}.",
keywords = "Chi-square (χ2), Test of independence, Jenks natural break, Frequency analysis, Irregular events, Automated expert analysis",
author = "Simon Parkinson and Saad Khan",
year = "2018",
month = "6",
doi = "10.1016/j.jisa.2018.03.003",
language = "English",
volume = "40",
pages = "52--62",
journal = "Journal of Information Security and Applications",
issn = "2214-2126",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Identifying Irregularities in Security Event Logs through an Object-based Chi-squared Test of Independence

AU - Parkinson, Simon

AU - Khan, Saad

PY - 2018/6

Y1 - 2018/6

N2 - A novel technique for identifying irregular event log entries is presented in this paper along with the implementation in a Microsoft Windows-based environment. The motivation behind this research is to identify irregular activity in a system whilst minimising any requirement on expert knowledge, in addition to saving investigative time and computing resources. As the developed solution utilises the standard Microsoft format for event logs, it can work with both live systems, as well as events extracted and stored for off-site analysis. The solution consists of two major steps: first, convert the event logs into objects- based model and second, perform statistical analysis using the Chi-squared (χ2) test of independence and classify mean χ2 values into discrete categories using Jenks natural breaks method. The event logs entries, which failed the test of dependence are considered as irregular events. It is also shown that the proposed solution poses an advantage over primitive frequency analysis methods as it uses object relationships among event log entries to determine irregularities for locating anomalous activities. Empirical analysis of the solution is performed using event logs data from 20 machines and shows promising results by correctly identifying irregular events. Further experimental analysis involving the insertion of synthetic irregular events results in an average accuracy of 85%.

AB - A novel technique for identifying irregular event log entries is presented in this paper along with the implementation in a Microsoft Windows-based environment. The motivation behind this research is to identify irregular activity in a system whilst minimising any requirement on expert knowledge, in addition to saving investigative time and computing resources. As the developed solution utilises the standard Microsoft format for event logs, it can work with both live systems, as well as events extracted and stored for off-site analysis. The solution consists of two major steps: first, convert the event logs into objects- based model and second, perform statistical analysis using the Chi-squared (χ2) test of independence and classify mean χ2 values into discrete categories using Jenks natural breaks method. The event logs entries, which failed the test of dependence are considered as irregular events. It is also shown that the proposed solution poses an advantage over primitive frequency analysis methods as it uses object relationships among event log entries to determine irregularities for locating anomalous activities. Empirical analysis of the solution is performed using event logs data from 20 machines and shows promising results by correctly identifying irregular events. Further experimental analysis involving the insertion of synthetic irregular events results in an average accuracy of 85%.

KW - Chi-square (χ2)

KW - Test of independence

KW - Jenks natural break

KW - Frequency analysis

KW - Irregular events

KW - Automated expert analysis

UR - http://www.scopus.com/inward/record.url?scp=85044103144&partnerID=8YFLogxK

U2 - 10.1016/j.jisa.2018.03.003

DO - 10.1016/j.jisa.2018.03.003

M3 - Article

VL - 40

SP - 52

EP - 62

JO - Journal of Information Security and Applications

T2 - Journal of Information Security and Applications

JF - Journal of Information Security and Applications

SN - 2214-2126

ER -