A Method to Automatically Filter Log Evidences for Intrusion Forensics

An important data source for intrusion forensics is various types of logs from the systems and networks being investigated. However, there are still many problems when using these logs for forensic analysis. Firstly, with the development of computers and Internet, intrusion behaviors involve more types and more quantities of logs, and these massive and complex log evidences make forensics analyst overwhelmed. Secondly, among the large number of logs that investigators need to analyze, the data related to criminal behaviors only accounts for a very small proportion and most of the rest data are useless records resulted from normal behaviors. Large amount of forensic data and high proportion of useless records make it very difficult to investigate and collect evidences. In addition, this makes criminal behaviors that submerged in a large amount of useless records easily overlooked. This paper introduces a new method for the reduction of candidate log evidences for intrusion forensics. Its main idea is to extract the key attribute fields as features of log records and assign a score to each log record. This score is used to indicate the degree of redundancy of the record. The greater the score is, the more likely the records are redundant. Our experiments based on Darpa2000 and Snort real-world data show that this method can significantly reduce the interference caused by useless data for forensic analysis: it removes 57% and 82% useless data in Darpa2000 and the Snort real-world data, respectively.