Visualization of System Log Files for Post-incident Analysis and Response
Post-incident analysis of a security event is a complex task due to the volume of data that must be assessed, often within tight temporal constraints. System software, such as operating systems and applications, provide a range of opportunities to record data in log files about interactions with the computer that may provide evidence during an investigation. Data visualization can be used to aid data set interpretation and improve the ability of the analyst to make sense of information. This paper posits a novel methodology that visualizes data from a range of log files to aid the investigation process. In order to demonstrate the applicability of the approach, a case study of identification and analysis of attacks is presented.
KeywordsVisualization system logs triage intrusion detection
Unable to display preview. Download preview PDF.
- 1.Ando, R., Kadobayashi, Y., Shinoda, Y.: Blink: Large-scale P2P network monitoring and visualization system using VM introspection. In: Proceedings of the Sixth International Conference on Networked Computing and Advanced Information Management, Seoul, South Korea, August 16-18, pp. 351–358 (2010)Google Scholar
- 3.Dunlop, M., Urbanski, W., Marchany, R., Tront, J.: Leveraging Cognitive Principles to Improve Security Visualization. In: Proceedings of Networked Digital Technologies, Dubai, UAE, April 24-26, pp. 262–276 (2012)Google Scholar
- 4.Giacobe, N.A., Xu, S.: Geovisual analytics for cyber security: Adopting the GeoViz Toolkit. In: Proceedings of the IEEE Conference on Visual Analytics Science and Technology, Providence, RI, USA, October 23-28, pp. 315–316 (2011)Google Scholar
- 6.Haggerty, J., Haggerty, S., Taylor, M.: Forensic Triage of Email Network Narratives through Visualisation. Journal of Information Management and Computer Security (forthcoming, 2014)Google Scholar
- 7.Koniaris, I., Papadimitriou, G., Nicopolitidis, P.: Analysis and Visualization of SSH Attacks Using Honeypots. In: Proceedings of EuroCon, Zagreb, Croatia, July 1-4, pp. 65–72 (2013)Google Scholar
- 9.Mantoro, T., Aziz, N.A., Yusoff, N.D.M., Talib, N.A.A.: Log Visualization of Intrusion and Prevention Reverse Proxy Server against Web Attacks. In: Proceedings of the International Conference on Informatics and Creative Multimedia, Kuala Lumpur, Malaysia, September 3-6, pp. 325–329 (2013)Google Scholar
- 10.Nishioka, C., Kozaki, M., Okada, K.: Visualization System for Log Analysis with Probabilities of Incorrect Operation. In: Proceedings of the IEEE 17th International Conference on Parallel and Distributed Systems, Tainan, Taiwan, December 7-9, pp. 929–934 (2011)Google Scholar
- 11.Promrit, N., Mingkhwan, A., Simcharoen, S., Namvong, N.: Multi-dimensional visualization for network forensic analysis. In: Proceedings of the 7th International Conference on Networked Computing, Gumi, South Korea, September 26-28, pp. 68–73 (2011)Google Scholar
- 12.Schmerl, S., Vogel, M., Rietz, R., König, H.: Explorative Visualization of Log Data to support Forensic Analysis and Signature Development. In: Proceedings of the Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering, Oakland, CA, USA, pp. 109–118 (May 10, 2010)Google Scholar
- 14.Schrenk, G., Poisel, R.: A Discussion of Visualization Techniques for the Analysis of Digital Evidence. In: Proceedings of the Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, August 22-26, pp. 758–763 (2011)Google Scholar
- 15.Stoll, J., Tashman, C.S., Edwards, W.K., Spafford, K.: Sesame: informing user security decisions with system visualization. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Florence, Italy, April 5-10, pp. 1045–1054 (2008)Google Scholar
- 16.Thomson, A., Graham, M., Kennedy, J.: Pianola - Visualization of Multivariate Time-Series Security Event Data. In: Proceedings of the 17th International Conference on Information Visualisation, London, UK, July 15-18 (2013)Google Scholar