Anomaly detection in a forensic timeline with deep autoencoders

Hudan Studiawan*, Ferdous Sohel

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

18 Citations (Scopus)

Abstract

An investigator needs to analyze a forensic timeline after a cybersecurity incident has occurred. Log entries from various sources are used to generate a forensic timeline. Finding the anomalous activities recorded in these log records is a difficult task if manual inspection or keyword searches are used. In this work, we propose a method for identifying anomalies in a forensic timeline. We use deep autoencoders as a machine learning technique to establish a baseline for normal activities in log files. Furthermore, we set an anomaly threshold of reconstruction value based on the constructed baseline. We then plot these anomalous events on a forensic timeline. Our experiments indicate that the proposed method achieves superior performance compared to other log anomaly detection methods with overall mean F1 score and accuracy of 94.036% and 96.720%, respectively.

Original languageEnglish
Article number103002
JournalJournal of Information Security and Applications
Volume63
DOIs
Publication statusPublished - Dec 2021

Keywords

  • Anomaly detection
  • Autoencoders
  • Feature extraction
  • Forensic timeline

Fingerprint

Dive into the research topics of 'Anomaly detection in a forensic timeline with deep autoencoders'. Together they form a unique fingerprint.

Cite this