Audit Logs Research Articles

Multisource log audit system based on cluster

With the expanding of network size,the transacting capability of the single log server in log audit system is limited,which has already become the bottleneck of that system.To address this problem,a log server cluster equipped with the features of high availability and load balancing,was introduced and a log audit system based on cluster was presented.The system architecture,the structure model of the system and the main modules were described,and a dynamic load balancing algorithm with synthetic loading statistic was provided.Finally,the performance of the log server cluster system was analyzed with the queue theory.

Electronic Medical Records, HIPAA, and Patient Privacy

The continued growth of healthcare information systems (HCIS) promises to improve quality of care, lower costs, and streamline the entire healthcare system. But the resulting dependence on electronic medical records (EMRs) has also kindled patient concern about who has access to sensitive medical records. Healthcare organizations are obliged to protect patient records under HIPAA. The purpose of this study is to develop a formal privacy policy to protect the privacy and security of EMRs. This article describes the impact of EMRs and HIPAA on patient privacy in healthcare. It proposes access control and audit log policies to safeguard patient privacy. To illustrate the best practices in the healthcare industry, this article presents the case of the University of Texas M. D. Anderson Cancer Center. The case demonstrates that it is critical for a healthcare organization to have a privacy policy.

Reconstructing system state for intrusion analysis

The analysis of a compromised system is a time-consuming and error-prone task today because commodity operating systems provide limited auditing facilities. We have been developing an operating-system level auditing system called Forensix that captures a high-resolution image of all system activities so that detailed analysis can be performed after an attack is detected. The challenge with this approach is that the large amount of audit data generated can overwhelm analysis tools. In this paper, we describe a technique that helps generate a time-line of the state of the system. This technique, based on preprocessing the audit log, simplifies the implementation of the analysis queries and enables running the analysis tools interactively on large data sets.

Detecting anomalous access patterns in relational databases

A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user population. In the second scenario, we assume that there are no roles associated with users of the database. In this case, we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database traces shows that our methods work well in practical situations.

Emergency Department Access to a Longitudinal Medical Record

Our goal is to assess how clinical information from previous visits is used in the emergency department. We used detailed user audit logs to measure access to different data types. We found that clinician-authored notes and laboratory and radiology data were used most often (common data types were used up to 5% to 20% of the time). Data were accessed less than half the time (up to 20% to 50%) even when the user was alerted to the presence of data. Our access rate indicates that health information exchange projects should be conservative in estimating how often shared data will be used and the wide breadth of data accessed indicates that although a clinical summary is likely to be useful, an ideal solution will supply a broad variety of data.

Extracting Evidences from Filesystem Activity Using Bayesian Network

This research aims to ascertain fi lesystem access patterns produced by different application programs, and evaluates their potential utility in improving digital forensic analyses. The access patterns produced by the proposed methodology can serve as a decision support system for determining the possible execution of certain applications in the event of computer misuse. For this purpose, we propose the use of a causal Bayesian network that summarizes the most important relationships among integral parameters relating to fi lesystem activities such as access, creation, modifi cation, fi le deletion, audit logs, registry entries and the manner in which the applications manipulate these parameters. Determining the state of a fi lesystem at a particular period of time is vital for conducting digital forensic analyses. Herein, we describe a Bayesian network-based technique to determine the state of a computer fi lesystem in terms of the program execution and fi les manipulated during some specific time period. Specifi cally, we discuss the construction of a Bayesian network from our prior knowledge of the manipulation of the fi lesystem and metadata information by a set of applications. The variations among the execution patterns of different applications indicate that the Bayesian network-based model is an appropriate tool, due to its ability to enable pattern learning and detection, even from an incomplete dataset. The focus of this paper is to highlight the merits of the Bayesian methods for learning, with regard to the techniques used for supervised learning in ordinary neural networks.

Creating an IHE ATNA-based audit repository.

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires gathering audit information from picture archiving and communications systems (PACS) regarding evidence trails of human interactions. Until recently, most PACS users have had limited access to auditing information. Access required resources to handle manual inspection of audit logs, and access to proprietary databases was not always available. Some vendors now produce eXtensible Markup Language (XML) audit logs based on certain events occurring in PACS. However, it is up to the user to convert this information into an easily mined data repository supporting compliance and quality control. This process can be handled in multiple ways, which could mean different audit mechanisms depending on the PACS (or other hospital system) used. It is apparent that an organized method of dealing with audit information is needed. This help may be provided within the Integrating the Healthcare Environment (IHE) framework. The IHE initiative defines a set of profiles, actors, and transactions that create common scenarios for particular workflow processes. The Integration Profiles depict security as a fundamental requirement of the framework. Specifically, the Audit Trail and Node Authentication (ATNA) profile defines standards based mechanisms for securely transmitting and storing audit records in a central repository. The data structure defined by the profile provides a number of record types that capture different audit events. A general feasibility study for storing currently available PACS audit information following the profile is defined, and steps to an automated solution are discussed.

Spreadsheets in Statistical Practice—Another Look

Many authors have criticized the use of spreadsheets for statistical data processing and computing because of incorrect statistical functions, no log file or audit trail, inconsistent behavior of computational dialogs, and poor handling of missing values. Some improvements in some spreadsheet processors and the possibility of audit trail facilities suggest that the use of a spreadsheet for some statistical data entry and simple analysis tasks may now be acceptable. A brief outline of some issues and some guidelines for good practice are included.

Multidimensional Analysis: A Management Tool for Monitoring HIPAA Compliance and Departmental Performance

Most RIS and PACS systems include extensive auditing capabilities as part of their security model, but inspecting those audit logs to obtain useful information can be a daunting task. Manual analysis of audit trails, though cumbersome, is often resorted to because of the difficulty to construct queries to extract complex information from the audit logs. The approach proposed by the authors uses standard off-the-shelf multidimensional analysis software tools to assist the PACS/RIS administrator and/or security officer in analyzing those audit logs to identify and scrutinize suspicious events. Large amounts of data can be quickly reviewed and graphical analysis tools help explore system utilization. While additional efforts are required to fully satisfy the demands of the ever-increasing security and confidentiality pressures, multidimensional analysis tools are a practical step toward actually using the information that is already being captured in the systems' audit logs. In addition, once the work is performed to capture and manipulate the audit logs into a viable format for the multidimensional analysis tool, it is relatively easy to extend the system to incorporate other pertinent data, thereby enabling the ongoing analysis of other aspects of the department's workflow.

Investigating around mainframes and other high-end systems: the revenge of big iron

Normal computer forensic tools and techniques are ineffective or inefficient when applied to mainframes or other very large systems. Incidents involving mainframes are likely to have a significant business impact, so preparation is essential, both of any specialist tools and of staff with mainframe experience. Proper design of system audit logs can also provide admissible material of evidential weight, without the requirement for forensic treatment.

Investigating around mainframes and other high-end systems: the revenge of big iron

Normal computer forensic tools and techniques are ineffective or inefficient when applied to mainframes or other very large systems. Incidents involving mainframes are likely to have a significant business impact, so preparation is essential, both of any specialist tools and of staff with mainframe experience. Proper design of system audit logs can also provide admissible material of evidential weight, without the requirement for forensic treatment.

Discovering workflow models from activities’ lifespans

Workflow systems utilize a process model for managing business processes. The model is typically a directed graph annotated with activity names. We view the execution of an activity as a time interval, and present two new algorithms for synthesizing process models from sets of systems’ executions (audit log). A model graph generated by each of the algorithms for a process, captures all its executions and dependencies that are present in the log, and preserves existing parallelism. We compare the model graphs synthesized by our algorithms to those of Agrawal et al. [Mining process models from workflow logs, in: Proceedings of the Advances in Database Technology (EDBT’98), 6th International Conference on Extending Database Technology, Valencia, Spain, 23–27 March 1998, Lecture Notes in Computer Science, Proceedings vol. 1377, Springer, Berlin, 1998] by running them on simulated data. We observe that our graphs are more faithful in the sense that the number of excess and absent edges is consistently smaller and it depends on the size and quality of the log. In other words, we show that our time interval approach permits reconstruction of more accurate workflow model graphs from a log.

An Introduction to Sap R/3 for is Auditors

This article is intended for IS auditors who are unfamiliar with the SAP software product.It provides a general overview of SAP R/3;identifies the IS audit risks that can be involved in its use;describes the SAP R/3 security features that can address those risks;explains the use of the security audit log facility;provides an overview of the use of the Audit Information System (AIS)tool;and mentions sources of additional information about SAP R/3.

Secure audit logs to support computer forensics

In many real-world applications, sensitive information must be kept it log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to modify or destroy undetectably.

Task analysis for the investigation of human error in safetycritical software design: a convergent methods approach

An investigation was conducted into sources of error within a safety-critical software design task. A number of convergent methods of task- and error-analysis were systematically applied: hierarchical task analysis (HTA), error log audit, error observation, work sample and laboratory experiment. HTA, which provided the framework for the deployment of subsequent methods, revealed possible weaknesses in the areas of task automation and job organization. Application of other methods within this more circumscribed context focused on the impact of task and job design issues. The use of a convergent methods approach draws attention to the benefits and shortcomings of individual analysis methods, and illustrates the advantages of combining techniques to analyse complex problems. The features that these techniques should possess are highlighted.

Data mining computer audit logs to detect computer misuse

All computers are vulnerable to misuse either by unauthorized users penetrating the system or by authorized users abusing their privileges. This paper describes the use of a data mining process to sift through large (gigabytes) computer audit log databases to detect potential improper accesses of sensitive data files by authorized users. Computer audit logs record information about what files were accessed by which users and when. The detection of computer misuse is important because computer misuse can be related to acts of computer fraud, information theft, software piracy, and violations of privacy, to name a few. The data mining process described in this paper can be applied to detect possible fraud in a wide variety of situations that share some common characteristics: first, a class of ‘sensitive’ files can be identified which may be subject to improper access; second, the selection of files by users is a random process; and third, the probability that a user-selected file is from the sensitive class should be the same for all members of a group of users. Examples of possible applications of the data mining process include detecting inappropriate accesses to classified files, celebrity files, financial accounts with high balances, and files known to have been improperly used. © 1998 John Wiley & Sons, Ltd.

Security Awareness and the Year 2000

What the Securities and Exchange Commission (SEC) Division of Corporate Finance and Investment Management Staff thinks of the Year 2000 (Y2K) problem may help you convince your management to take this matter seriously. Staff Legal Bulletins generally foreshadow the future rulings of the agency. If your organization has an external audit firm that opines on the financial statements of your enterprise, then it should already have advised your senior management on this matter. The accounting implications, however, may not lead management to a greater understanding of the security issues. Financial audits may not require an understanding of your access control environment — at least not in depth. You may then face several challenges: • Access control software (system, network, and application layers) may have Y2K issues. • Audit logs and historical records on which you rely for incident investigations may have Y2K issues (and some of the measures used to correct the first bullet may cause the new logs to be incompatible with your historical logs making reconstruction difficult; in some cases, the new product deletes, and even overwrites, old log files). • The process followed for correcting Y2K issues may bypass controls because time is short. This surrender to expedience opens a host of opportunities for abuse. Regaining control in the year 2000 may pose its own challenges. • What will either be, or appear to be, Y2K-related failures will provide a smokescreen for unauthorized activities. • Heavy reliance on outside consultants, contractors, outsourcers, and vendors of replacement or upgraded products will further burden your security administrators. Administrators will face increased user-identifier maintenance, resource access rules changes, and possibly, architectural changes affecting the security products themselves. Few organizations have properly budgeted for additional help here.

Multivariate data analysis software for enhancing system security

This article describes an intrusion detection technique that aims to enhance the security of computing systems. The idea of intrusion detection is based on the hypothesis that computer users are typically involved in specific types of activity, and the set of programs they use will normally reflect that activity. Hence, security violations could be detected from abnormal patterns of system usage. Intrusion detection almost invariably involves two components: system monitoring and data analysis. In general, system monitoring records everything that each user performs in the system. Monitoring information is analyzed by use of some data analysis technique to abstract user behavior patterns from the audit log. Although the concept of system monitoring is widely supported in today's computer systems (at least for accounting purposes), the provision of tools for analyzing monitoring information is not sufficient. We present a multivariate data analysis technique that is a nice mathematical tool for the analysis of user behavior patterns in intrusion detection. Our system records all user activities in each login session; abnormal sessions are identified when the monitoring data are analyzed. Data analysis involves two steps: analysis of correlations and classification of behavior patterns. Analysis of correlations, which is based on standardized principal components analysis, partitions the set of user sessions into groups such that sessions within the same group are closely correlated and hence governed by the same behavior pattern. Classification of behavior patterns is automated by a cluster recognition technique. To visualize analysis results, the multivariate data set is summarized by factor analysis.

Mental Health Problems in Hospital-Based Clinics: Patient Profile and Referral Patterns

BACKGROUND: Although several investigators have suggested that the primary care setting has become the "de facto" mental health provider, few researchers have docu mented the psychiatric referral practices of providers in these settings. OBJECTIVE: In this study, the psychiatric referral patterns of hospital-based outpa tient clinics and the needs and characteristics of the referred patient population were examined. DESIGN: After a 4-year retrospective log audit, 2, 678 written referrals were examined for patients 18 years of age and older from a large urban medical center's outpatient clinics to the outpatient psychiatry clinic at the same site. RESULTS: Findings revealed a predominately middle-aged, white, female, Medicaid popu lation referred by physician providers in primary care clinics for signs of depression and associated symptoms. However, of the patients scheduled in the psychiatry clinic, only 56% actually had visits. The average number of visits was five or less. CONCLUSIONS: Early assessment and triage by advanced practice psychiatric nurses can minimize the length of time between psychiatric referral and intervention. By iden tifying those persons in crisis and intervening in a timely fashion, failed appointements may be reduced. U Am PSYCHIATR NURSES Assoc [1995]. 1, 140-145)