We present a post-mortem log analysis method based on Temporal Logic (TL), Event Processing Language (EPL), and reconstruction approach. After showing that the proposed method could be adapted to any misuse event or attack, we specifically investigate the case of web server misuses. To this end, we examine 5 different misuses on Wordpress web servers, and generate corresponding log files of these attacks for forensic analysis. Then we establish attack patterns and formalize them by means of a special case of temporal logic, i.e. many sorted first order metric temporal logic (MSFOMTL). Later on, we implement these attack patterns in the EPL, and performed experimental log analysis by using a time window mechanism sliding on sorted log records to evaluate effectiveness and efficacy of our proposed method. We found that our approach is potentially capable of providing a platform where investigators can define/store/share misuse patterns using a common language while providing fast and accurate forensic analysis on large log files.
Ahmed, A., Lisitsa, A., & Dixon, C. (2011). A misuse-based network Intrusion Detection System using Temporal Logic and stream processing. In Network and System Security (NSS), 2011 5th International Conference on (pp. 1–8). http://doi.org/10.1109/ICNSS.2011.6059953
Albek, E., Bax, E., Billock, G., Chandy, K. M., & Swett, I. (2005). An Event Processing Language (EPL) for Building Sense and Respond Applications. In Parallel and Distributed Processing Symposium, 2005. Proceedings. 19th IEEE International (p. 136b–136b). http://doi.org/10.1109/IPDPS.2005.97
Arasteh, A. R., Debbabi, M., Sakha, A., & Saleh, M. (2007). Analyzing multiple logs for forensic evidence. Digital Investigation, 4, Supplement(0), 82 – 91. http://doi.org/http://dx.doi.org/10.1016/j.diin.2007.06.013
CMS technologies Web Usage Statistics. (n.d.). Retrieved April 22, 2016, from http://trends.builtwith.com/cms
EsperTech - Esper. (n.d.). Retrieved April 1, 2016, from http://www.espertech.com/esper/
EventFlow and StreamSQL | StreamBase. (n.d.). Retrieved April 23, 2016, from http://www.streambase.com/products/streambasecep/streamsql/
Havens, R. W., Lunt, B., & Teng, C. C. (2012). Naive Bayesian filters for log file analysis: Despam your logs. In 2012 IEEE Network Operations and Management Symposium (pp. 627–630). http://doi.org/10.1109/NOMS.2012.6211972
Huth, M., & Ryan, M. (2004). Logic in Computer Science: Modelling and Reasoning About Systems. New York, NY, USA: Cambridge University Press.
Jayathilake, P. W. D. C. (2011). A novel mind map based approach for log data extraction. In 2011 6th International Conference on Industrial and Information Systems (pp. 130–135). http:// doi.org/10.1109/ICIINFS.2011.6038054
J. Herrerías, & R. Gómez. (2010). Log Analysis Towards an Automated Forensic Diagnosis System. Availability, Reliability, and Security, 2010. ARES ’10 International Conference on, 659–664. http://doi.org/10.1109/ARES.2010.120
Jimenez-Peris, R. (2015). MASSIF: A Highly Scalable SIEM. Presented at the DEMONS Workshop.
Kalamatianos, T., Kontogiannis, K., & Matthews, P. (2012). Domain Independent Event Analysis for Log Data Reduction. In 2012 IEEE 36th Annual Computer Software and Applications Conference (pp. 225–232). http://doi.org/10.1109/COMPSAC.2012.33
Kavanagh, K. M., & Rochford, O. (2015). Magic Quadrant for Security Information and Event Management. Retrieved from https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb
Makanju, A. A. O., Zincir-Heywood, A. N., & Milios, E. E. (2009). Clustering Event Logs Using Iterative Partitioning. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 1255–1264). New York, NY, USA: ACM. http://doi.org/10.1145/1557019.1557154
Schmerl, S., Koenig, H., Flegel, U., Meier, M., & Rietz, R. (2008). Systematic Signature Engineering by Re-use of Snort Signatures. In Computer Security Applications Conference, 2008. ACSAC 2008. Annual (pp. 23–32). http://doi.org/10.1109/ACSAC.2008.20
StreamBase | Complex Event Processing, Event Stream Processing, StreamBase Streaming Platform. (n.d.). Retrieved April 23, 2016, from http://www.streambase.com/
Vernekar, S. S., & Buchade, A. (2013). MapReduce based log file analysis for system threats and problem identification. In Advance Computing Conference (IACC), 2013 IEEE 3rd International (pp. 831–835). http://doi.org/10.1109/IAdCC.2013.6514334
WordPress Advanced Video Plugin 1.0 - Local File Inclusion LFI. (n.d.). Retrieved April 19, 2016, from https://www.exploit-db.com/exploits/39646/
WP Login Timeout Settings — WordPress Plugins. (n.d.). Retrieved March 26, 2016, from https://wordpress.org/plugins/wp-login-timeout-settings/screenshots
Gunestas, Murat and Bilgin, Zeki
"Log Analysis Using Temporal Logic and Reconstruction Approach: Web Server Case,"
Journal of Digital Forensics, Security and Law: Vol. 11
, Article 3.
Available at: http://commons.erau.edu/jdfsl/vol11/iss2/3