Event Abstration in a Forensic Timeline

Hudan Studiawan*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Event abstraction is a process of extracting main events from a large set of data, allowing investigators to identify patterns, connections, and anomalies in event logs that may reveal further evidence of malicious activity. In this paper, we investigate the use of event abstraction in a forensic timeline. This work applies the Drain method, a tree-based abstraction approach, and demonstrates its efficiency in producing accurate event abstraction. It also discusses the challenges faced by investigators in event abstraction and its analysis in a forensic timeline. Finally, this paper presents case studies of web server attacks and creates their event abstraction from a forensic timeline.

Original languageEnglish
Title of host publicationInformation and Communications Technologies - 2nd International Libyan Conference, ILCICT 2023, Proceedings
EditorsTammam A. T. Benmusa, Mohamed Samir Elbuni, Ibrahim M. Saleh, Ahmed S. Ashur, Nabil M. Drawil, Issmail M. Ellabib
PublisherSpringer Science and Business Media Deutschland GmbH
Pages119-129
Number of pages11
ISBN (Print)9783031626234
DOIs
Publication statusPublished - 2024
Externally publishedYes
Event2nd International Libyan Conference on Information and Communication Technologies, ILCICT 2023 - Tripoli, Libya
Duration: 4 Sept 20236 Sept 2023

Publication series

NameCommunications in Computer and Information Science
Volume2097 CCIS
ISSN (Print)1865-0929
ISSN (Electronic)1865-0937

Conference

Conference2nd International Libyan Conference on Information and Communication Technologies, ILCICT 2023
Country/TerritoryLibya
CityTripoli
Period4/09/236/09/23

Keywords

  • Drain method
  • event abstraction
  • forensic timeline
  • log parsing

Fingerprint

Dive into the research topics of 'Event Abstration in a Forensic Timeline'. Together they form a unique fingerprint.

Cite this