Murdoch University Research Repository

Welcome to the Murdoch University Research Repository

The Murdoch University Research Repository is an open access digital collection of research
created by Murdoch University staff, researchers and postgraduate students.

Learn more

Forensic investigation of event logs by automatic anomaly detection

Studiawan, Hudan (2020) Forensic investigation of event logs by automatic anomaly detection. PhD thesis, Murdoch University.

PDF - Whole Thesis
Download (5MB) | Preview


Attacks on an operating system have become a significant and increasingly common problem. This type of security incident is recorded in forensic artifacts, such as log files. Forensic investigators will generally examine the logs to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. This thesis proposes a novel framework to automatically detect an anomaly in a forensic timeline constructed from log files. Before identifying anomalies, an automatic log parser is built so that the investigators do not need to define a rule-based parser. Parsing is modeled as named entity recognition problem and a deep learning technique, namely the bidirectional long short-term memory, is exploited to parse log entries.

This thesis proposes three major methods as the base of the framework. First, a method for automatic cluster-based anomaly detection is proposed. The anomaly decision is made based on the estimated threshold derived from the clustering results. It considers several statistical properties, including frequency and inter-arrival rate. Second, anomalies are identified by establishing a baseline model for normal activities from log files. Another deep learning technique, namely the deep autoencoders, is employed to construct the baseline. Third, this research proposes an anomaly detection using sentiment analysis of log messages. A negative sentiment means that the investigated log entry is an anomaly. Two methods, specifically the attention-based deep learning and the gated recurrent unit, are proposed to perform the sentiment analysis. This work also addresses the class imbalance issue in the log data using the Tomek link method.

Finally, a fusion technique is applied to combine the aforementioned major methods. The weighted majority voting is used for the final anomaly decision. The detection results are then displayed in a forensic timeline to assist the investigators. Experiments on various public datasets indicate that the proposed framework achieves superior performance compared to other log anomaly detection methods.

Item Type: Thesis (PhD)
Murdoch Affiliation(s): Information Technology, Mathematics and Statistics
Supervisor(s): Sohel, Ferdous and Payne, Christian
Item Control Page Item Control Page


Downloads per month over past year