Abstract
An investigator needs to analyze a forensic timeline after a cybersecurity incident has occurred. Log entries from various sources are used to generate a forensic timeline. Finding the anomalous activities recorded in these log records is a difficult task if manual inspection or keyword searches are used. In this work, we propose a method for identifying anomalies in a forensic timeline. We use deep autoencoders as a machine learning technique to establish a baseline for normal activities in log files. Furthermore, we set an anomaly threshold of reconstruction value based on the constructed baseline. We then plot these anomalous events on a forensic timeline. Our experiments indicate that the proposed method achieves superior performance compared to other log anomaly detection methods with overall mean F1 score and accuracy of 94.036% and 96.720%, respectively.
Original language | English |
---|---|
Article number | 103002 |
Journal | Journal of Information Security and Applications |
Volume | 63 |
DOIs | |
Publication status | Published - Dec 2021 |
Keywords
- Anomaly detection
- Autoencoders
- Feature extraction
- Forensic timeline