Beta 1


Title Forensic examination of log files
Author Petersen, Jóan Petur (Intelligent Signal Processing, Informatics and Mathematical Modelling, Technical University of Denmark, DTU, DK-2800 Kgs. Lyngby, Denmark)
Supervisor Sharp, Robin (Informatics and Mathematical Modelling, Technical University of Denmark, DTU, DK-2800 Kgs. Lyngby, Denmark)
Institution Technical University of Denmark, DTU, DK-2800 Kgs. Lyngby, Denmark
Thesis level Master's thesis
Year 2005
Abstract Forensic examination of logs plays a big role in modern computer security, but it has become a time consuming and daunting task due to the sheer amount of data involved. It is therefore necessary to make specialized tools to aid the investigation, so that the digital evidence can be extracted in a fast and efficient manner. In this thesis a system is developed that can identify malicious tra c in router logs on a log entry level. This is done using specialized feature extractors and a classifier based on a neural network. The system is developed for Network logs, and problem associated with ows are investigated, such as how unidirectional flows should be handled. As a proof of concept, the system is developed to detect host scans. This is done using real router log data, and log data derived from the 1999 DARPA Intrusion Detection Evaluation data set. The system could easily be extended to detect other kinds of malicious traffic, such as Denial of Service attacks and probes other than the host scan. New contributions in this thesis are use of artificial neural networks to classify router logs, classification of each log entry, and development of feature extractors for Netflow logs.
Imprint Informatics and Mathematical Modelling, Technical University of Denmark, DTU : DK-2800 Kgs. Lyngby, Denmark
Pages 77
Keywords Network Forensics; Log Analysis; NetFlow; Probing; Denial of Service; Flow Classification; Feature Extraction; Traffic Aggregation
Fulltext
Derived PDF imm3589.pdf (0.40 MB)
Original Postscript imm3589.ps (0.78 MB)
Admin Creation date: 2006-06-22    Update date: 2012-12-19    Source: dtu    ID: 185867    Original MXD