Log Abstraction for Information Security: Heuristics and Reproducibility

Proceedings of the 16th International Conference on Availability, Reliability and Security Pub Date : 2021-08-16 DOI:10.1145/3465481.3470083

R. Copstein, J. Schwartzentruber, N. Zincir-Heywood, M. Heywood

{"title":"Log Abstraction for Information Security: Heuristics and Reproducibility","authors":"R. Copstein, J. Schwartzentruber, N. Zincir-Heywood, M. Heywood","doi":"10.1145/3465481.3470083","DOIUrl":null,"url":null,"abstract":"The collection of log messages regarding the operation of deployed services and application is an integral component to the forensic analysis for the identification and understanding of security incidents. Approaches for parsing and abstraction of such logs, despite widespread use and study, do not directly account for the individualities of the domain of information security. This, in return, limits their applicability on the field. In this work, we analyze the state-of-the-art log parsing and abstraction algorithms from the perspective of information security. First, we reproduce/replicate previous analysis of such algorithms from the literature. Then, we evaluate their ability for parsing and abstraction of log files for forensic analysis purposes. Our study demonstrates that while the state-of-the-art techniques are accurate in log parsing, improvements are necessary in terms of achieving a holistic view to aid in forensic analysis for the identification and understanding of security incidents.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3465481.3470083","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

The collection of log messages regarding the operation of deployed services and application is an integral component to the forensic analysis for the identification and understanding of security incidents. Approaches for parsing and abstraction of such logs, despite widespread use and study, do not directly account for the individualities of the domain of information security. This, in return, limits their applicability on the field. In this work, we analyze the state-of-the-art log parsing and abstraction algorithms from the perspective of information security. First, we reproduce/replicate previous analysis of such algorithms from the literature. Then, we evaluate their ability for parsing and abstraction of log files for forensic analysis purposes. Our study demonstrates that while the state-of-the-art techniques are accurate in log parsing, improvements are necessary in terms of achieving a holistic view to aid in forensic analysis for the identification and understanding of security incidents.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

信息安全的日志抽象:启发式和可再现性

关于已部署服务和应用程序的操作的日志消息的收集是用于识别和理解安全事件的取证分析的一个组成部分。解析和抽象这些日志的方法，尽管被广泛使用和研究，但并不能直接解释信息安全领域的个性。反过来，这限制了它们在该领域的适用性。在这项工作中，我们从信息安全的角度分析了最先进的日志解析和抽象算法。首先，我们从文献中重现/复制先前对此类算法的分析。然后，我们评估它们解析和抽象日志文件以进行取证分析的能力。我们的研究表明，虽然最先进的技术在日志解析方面是准确的，但在实现整体视图以帮助识别和理解安全事件的取证分析方面，仍有必要进行改进。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the 16th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量