TY - GEN

T1 - Analysis of Operating System Event Logs when Investigating Information Security Incidents

AU - Stepanenko, Dmitry v.

AU - Stoychin, Krasimir l.

AU - Shevchenko, Daria v.

PY - 2023/5/15

Y1 - 2023/5/15

N2 - The article proposes a method based on the analysis of the event logs of the Linux operating system, which allows you to automatically detect information security events. The method consists of sequentially implemented steps: reading event logs into single data arrays, clustering and classifying event log entries by available attributes based on regular expressions. Based on the results of the classification of records, histograms of the distribution of information security events by day are formed, which allow us to assess the need for advanced data analysis on the carrier (on the device) where the incident occurred. In addition, the analysis of the existing basic clustering algorithms on the affected topic was carried out, their quantitative and qualitative assessment was given. Separately, emphasis is placed on the use of the ELK Stack (Elasticsearch, Logstash, and Kibana) framework as a set of components that provide convenient centralized logging from different servers and data centers.

AB - The article proposes a method based on the analysis of the event logs of the Linux operating system, which allows you to automatically detect information security events. The method consists of sequentially implemented steps: reading event logs into single data arrays, clustering and classifying event log entries by available attributes based on regular expressions. Based on the results of the classification of records, histograms of the distribution of information security events by day are formed, which allow us to assess the need for advanced data analysis on the carrier (on the device) where the incident occurred. In addition, the analysis of the existing basic clustering algorithms on the affected topic was carried out, their quantitative and qualitative assessment was given. Separately, emphasis is placed on the use of the ELK Stack (Elasticsearch, Logstash, and Kibana) framework as a set of components that provide convenient centralized logging from different servers and data centers.

UR - http://www.scopus.com/inward/record.url?partnerID=8YFLogxK&scp=85164958542

U2 - 10.1109/USBEREIT58508.2023.10158875

DO - 10.1109/USBEREIT58508.2023.10158875

M3 - Conference contribution

SP - 313

EP - 315

BT - Proceedings - 2023 IEEE Ural-Siberian Conference on Biomedical Engineering, Radioelectronics and Information Technology, USBEREIT 2023

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2023 IEEE Ural-Siberian Conference on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT)

Y2 - 15 May 2023 through 17 May 2023

ER -