Automatic Event Log Abstraction to Support Forensic Investigation

Hudan Studiawan, Ferdous Sohel, Christian Payne

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

13 Citations (Scopus)

Abstract

Abstr. of event logs is the creation of a template that contains the most common words representing all members in a group of event log entries. Abstraction helps the forensic investigators to obtain an overall view of the main events in a log file. Existing log abstraction methods require user input parameters. This manual input is time consuming due to the need to identify the best parameters, especially when a log file is large. We propose an automatic method to facilitate event log abstraction avoiding the need for the user to manually identify suitable parameters. We model event logs as a graph and propose a new graph clustering approach to group log entries. The abstraction is then extracted from each cluster. Experimental results show that the proposed method achieves superior performance compared to existing approaches with an F-measure of 95.35%.

Original languageEnglish
Title of host publicationProceedings of the Australasian Computer Science Week Multiconference 2020, ACSW 2020
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450376976
DOIs
Publication statusPublished - 4 Feb 2020
Externally publishedYes
Event2020 Australasian Computer Science Week Multiconference, ACSW 2020 - Melbourne, Australia
Duration: 3 Feb 20207 Feb 2020

Publication series

NameACM International Conference Proceeding Series

Conference

Conference2020 Australasian Computer Science Week Multiconference, ACSW 2020
Country/TerritoryAustralia
CityMelbourne
Period3/02/207/02/20

Keywords

  • event log
  • graph clustering
  • log abstraction
  • log forensics

Fingerprint

Dive into the research topics of 'Automatic Event Log Abstraction to Support Forensic Investigation'. Together they form a unique fingerprint.

Cite this