KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Text Mining-based Intrusion Log Recommendation in Digital Forensics

디지털 포렌식에서 텍스트 마이닝 기반 침입 흔적 로그 추천

  • 고수정 (인덕대학교 컴퓨터소프트웨어과)
  • Received : 2013.02.04
  • Accepted : 2013.04.26
  • Published : 2013.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

In digital forensics log files have been stored as a form of large data for the purpose of tracing users' past behaviors. It is difficult for investigators to manually analysis the large log data without clues. In this paper, we propose a text mining technique for extracting intrusion logs from a large log set to recommend reliable evidences to investigators. In the training stage, the proposed method extracts intrusion association words from a training log set by using Apriori algorithm after preprocessing and the probability of intrusion for association words are computed by combining support and confidence. Robinson's method of computing confidences for filtering spam mails is applied to extracting intrusion logs in the proposed method. As the results, the association word knowledge base is constructed by including the weights of the probability of intrusion for association words to improve the accuracy. In the test stage, the probability of intrusion logs and the probability of normal logs in a test log set are computed by Fisher's inverse chi-square classification algorithm based on the association word knowledge base respectively and intrusion logs are extracted from combining the results. Then, the intrusion logs are recommended to investigators. The proposed method uses a training method of clearly analyzing the meaning of data from an unstructured large log data. As the results, it complements the problem of reduction in accuracy caused by data ambiguity. In addition, the proposed method recommends intrusion logs by using Fisher's inverse chi-square classification algorithm. So, it reduces the rate of false positive(FP) and decreases in laborious effort to extract evidences manually.

디지털 포렌식에서의 로그 데이터는 사용자의 과거 행적에 대한 추적을 목적으로 대용량의 형태로 저장된다는 특성을 가지고 있다. 이러한 대용량의 로그 데이터를 단서가 없이 수동으로 분석하는 절차는 조사관들에게는 어려운 일이다. 본 논문에서는 포렌식 분석을 하는 조사관들에게 믿을 만한 증거를 추천하기 위하여 대용량의 로그 집합으로부터 해킹 흔적을 추출하는 텍스트 마이닝 기술을 제안한다. 학습 단계에서는 훈련 로그 집합을 대상으로 전처리를 한 후, Apriori 알고리즘을 이용하여 침입 흔적 연관 단어를 추출하고, 신뢰도와 지지도를 병합하여 각 연관단어의 침입 흔적 확률을 계산한다. 또한, 침입 흔적 확률의 정확도를 높이기 위하여 스팸 메일의 여과에 사용된 Robinson의 신뢰도 계산 방법을 이용하여 확률에 가중치를 추가하며, 최종적으로 침입 흔적 연관 단어 지식 베이스를 구축한다. 테스트 단계에서는 연관 단어 지식 베이스를 기반으로 테스트 로그 집합에 대해 피셔(Fisher)의 역 카이제곱 분류 알고리즘을 적용하여 침입 흔적 로그일 확률과 정상 로그일 확률을 계산하고, 이를 병합하여 침입 흔적 로그를 추출한다. 추출된 로그를 조사관에게 침입 흔적이 있는 로그로서 추천한다. 제안한 방법은 비구조화된 대용량의 로그 데이터를 대상으로 데이터의 의미를 명확하게 분석할 수 있는 학습 방법을 사용함으로써 데이터의 모호성으로 인해 발생하는 정확도 저하 문제를 보완할 수 있으며, 피셔의 역 카이제곱 분류 알고리즘을 이용하여 추천함으로써 오분류율(false positive)을 감소시키고 수동으로 증거를 추출하는 번거로움을 줄일 수 있다는 장점을 갖는다.

Keywords

References

  1. G. Mohay, A. Anderson, B. Collie, O. De Vel, and R. McKemmish, Computer and Intrusion Forensics, Artech House, Norwood, MA, 2003.
  2. Linda Volonino, "Computer forensics and electronic discovery: The new management challenge," Computer & Security, Vol.25, No.2, 2006.
  3. Rayman D. Meservy and James V. Hansen, "Forensic Data Mining: Finding Intrusion Patterns in Evidentiary Data," In Proceedings of Americas Conference on Information Systems(AMCIS), 2010.
  4. Sergio Decherchi, Simone Tacconi, Judith Redi, Alessio Leoncini, Fabio Sangiacomo, and Rodolfo Zunino, "Text Clustering for Digital Forensics Analysis," Journal of Information Assurance and Security 5, 2010.
  5. Nikhil Kumar Singh, Deepak Singh Tomar, and Bhola Nath Ray, "An Approach to Understand the End User Behavior through Log Analysis," International Journal of Computer Application, Vol.5, No.11, 2010.
  6. Tamas Abraham and Olivier de Vel, "Investigative Profiling with Computer Forensic Log Data and Association Rules," In Proceeding of IEEE International Conference on Data Mining(ICDM), 2002.
  7. Jiawei Han, Data Mining:Concepts and Techniques, Morgan Kaufmann, 2001.
  8. Frederic P. Miller, Agnes F. Vandome, and John McBrewster(Ed.), Bayesian spam filtering, Alphascript Publishing, 2010.
  9. Jonathan A. Zdziarski, Ending Spam: Bayesian Content Filtering and the Art of Statistical Language Classification, No starch press, 2005.
  10. Gary Robinson, "A statistical Approach to the Spam Problem," Linux Journal, Vol.107, 2003.
  11. Ramon C. Littell and J. Leroy Folks, "Asymptotic Optimality of Fisher's Method of Combining Independent Tests," Vol.66, No.336, 1971.
  12. Hyukgyu Cho, Heum Park, Hyukchul Kwon, "The Method of Verification for Legal Admissibility of Digital Evidence using the Digital Forensics Ontology," The KIPS transactions:Part D, Vol.16-D, No.2, 2009.
  13. Shaimaa Ezzat Salama and Mohamed I. Marie, "Web Server Logs preprocessing for Web Intrusion Detection," Computer and Information Science, Vol.4, No.4, 2011.
  14. M. Malarvizhi and S. A. Sahaaya Arul Mary, "Preprocessing of Educational Institution Web Log Data for Finding Frequent Patterns using Weighted Association Rule Mining Technique,"European Journal of Scientific Research, Vol.74, No.4, 2012.
  15. Juan Jose Garcia Adeva and Juan Manuel Pikatza Atxa, "Intrusion detection in web applications using text mining," Engineering Applications of Artificial Intelligence, Vol.20, No.4, 2007.
  16. Pang-Ning Tanch, Michael Steinbach, and Vipin Kumar, Introduction to Data Mining, Addison-Wesley, 2006.
  17. G. V. Nadiammai, S. Krishnaveni, and M. Hemalatha, "A Comprehensive Analysis and study in Intrusion Detection System using Data Mining Techniques," International Journal of Computer Applications, Vol.35, No.8, 2011.
  18. Sandhya Peddabachigari, Ajith Abraham, and Johnson Thomas, "Intrusion Detection Systems Using Decision Trees and Support Vecter Machines," International Journal of Applied Science and Computations, Vol.11, No.3, 2004.
  19. Paul Grahamm, "A Plan for Spam," http://paulgraham.com/spam.html, 2002.
  20. B. M. Bolstad, R. A. Irizarry, M. Astrand and T. P. Speed, "A comparison of normalization methods for high density oligonucleotide array data based on variance and bias," Bioinformatics, Vol.19, No.2, 2003.
  21. T. Jayalakshmi and Dr.A.Santhakumaran, "Statistical Normalization and Back Propagation for Classification," International Journal of Computer Theory and Engineering, Vol.3, No.1, 2001.
  22. S. E. Robertson and K. S. Jones, "Relevance Weightting of Search Terms," Journal of the American Society for Information Science, Vol.27, No.3, 1976.
  23. Sang Wook Song, "Using the Receiver Operating Characteristic (ROC) Curve to Measure Sensitivity and Specificity," Korean Journal of Family Med., Vol.30, No.11, 2009.
  24. Herlocker, J., Konstan J., Terveen L., and Riedl J. "Evaluating Collaborative Filtering Recommender Systems," ACM Transactions on Information Systems, Vol.22, No.1, 2004.
  25. J. Kim and S. Choi, "An Improved Bayesian Spam Mail Filter based on Chi-Square Statistics," Proceedings of KFIS Spring Conference 2005, Vol.15, No.1, 2005.