Log Collection Research Articles

Towards autonomous device protection using behavioural profiling and generative artificial intelligence

AbstractDemand for autonomous protection in computing devices cannot go unnoticed, considering the rapid proliferation of deployed devices and escalating cyberattacks. Consequently, cybersecurity measures with an improved generalisation that can proactively determine the indicators of compromises to predict 0‐day threats or previously unseen malware together with known malware are highly desirable. In this article, the authors present a novel concept of autonomous device protection based on behavioural profiling by continuously monitoring internal resource usage and leveraging generative artificial intelligence (genAI) to distinguish between benign and malicious behaviour. The authors design a proof‐of‐concept for Windows‐based computing devices relying on a built‐in event tracing mechanism for log collection that is converted into structured data using a graph data structure. The authors extract graph‐level features, that is, graph depth, nodes count, number of leaf nodes, node degree statistics, and events count and node‐level features (NLF), that is, process start, file create and registry events details for each graph. Further, the authors investigate the use of genAI exploiting a pre‐trained large language network—a simple contrastive sentence embedding framework to extract strong features, that is, dense vectors from event graphs. Finally, the authors train a random forest classifier using both the graph‐level features and NLF to obtain classification models that are evaluated on a collected dataset containing one thousand benign and malicious samples achieving accuracy up to 99.25%.

Sliding and Adaptive Windows to Improve Change Mining in Process Variability

A configurable process Change Mining approach can detect changes from a collection of event logs and provide details on the unexpected behavior of all process variants of a configurable process. The strength of Change Mining lies in its ability to serve both conformance checking and enhancement purposes; users can simultaneously detect changes and ensure process conformance using a single, integrated framework. In prior research, a configurable process Change Mining algorithm has been introduced. Combined with our proposed preprocessing and change log generation methods, this algorithm forms a complete framework for detecting and recording changes in a collection of event logs. Testing the framework on synthetic data revealed limitations in detecting changes in different types of variable fragments. Consequently, it is recommended that the preprocessing approach be enhanced by applying a filtering algorithm based on sliding and adaptive windows. Our improved approach has been tested on various types of variable fragments to demonstrate its efficacy in enhancing Change Mining performance.

Design and implementation of real-time log analysis based on ELK

With the rapid development of the IT industry, the integrated solution of real-time log analysis has become a member of the new generation of IT operation and maintenance structure. The traditional manual log analysis system is no longer suitable for the rapid development of the operation and maintenance system. The log analysis software commonly used in enterprises includes Elasticsearch, Logstash, and Kibana systems. The advantage is that it is free and open source. "Design and implementation of real-time log analysis based on ELK" was born for system maintenance and developers to understand server software and hardware information through logs, and check the cumbersome operations in the configuration process. Because frequent analysis of the log can understand the load of the server, performance security, so as to take timely measures to correct errors. If you manage dozens or hundreds of servers, there is no centralized log management system to collect and summarize the logs on all servers, which causes great difficulties for operation and maintenance managers. "Design and implementation of real-time log analysis based on ELK" uses Elasticsearch, Logstash, and Kibana to achieve unified collection and classification of server logs, which can solve the defects of traditional log analysis platforms, improve the efficiency of server application positioning problems, and help enterprises solve data center problems running problems of related applications.

Learning to Diagnose: Meta-Learning for Efficient Adaptation in Few-Shot AIOps Scenarios

With the advancement of technologies like 5G, cloud computing, and microservices, the complexity of network management systems and the variety of technical components have greatly increased. This rise in complexity has rendered traditional operations and maintenance methods inadequate for current monitoring and maintenance demands. Consequently, artificial intelligence for IT operations (AIOps), which harnesses AI and big data technologies, has emerged as a solution. AIOps plays a crucial role in enhancing service quality and customer satisfaction, boosting engineering productivity, and reducing operational costs. This article delves into the primary tasks involved in AIOps, such as anomaly detection, and log fault analysis and classification. A significant challenge identified in many AIOps tasks is the scarcity of fault sample data, indicating a natural alignment of these tasks with few-shot learning. Inspired by model-agnostic meta-learning (MAML), we propose a new anomaly detector, MAML-KAD, for application in various AIOps tasks. Observations confirm that meta-learning algorithms effectively enhance AIOps tasks, showcasing the wide-ranging application prospects of meta-learning algorithms in the field of AIOps. Moreover, we introduced an AIOps platform that embeds meta-learning within its diagnostic core and features streamlined log collection, caching, and alerting to automate the AIOps workflow.

BPM application in clinical process improvement: a women 'hospital case study

PurposeThe childbirth process is a complex and vital event that requires careful analysis and improvement. This experience can shape a woman's perspective on motherhood and even affect her mental health. Healthcare providers must prioritize improving the birth experience for women. In this interdisciplinary research, a combination of business process modeling (BPM) and medicine have been used with the aim of realizing an improved delivery experience and increased maternal satisfaction.Design/methodology/approachThe data collection of this study was done by observing 518 childbirth processes and interviewing the chief of labor, chief residents, and midwives in the obstetrics and gynecology department of a hospital in Tehran from October 2022 to February 2023.FindingsThe research has been done in four main stages. The first phase is to model the primary process and sub-processes of normal vaginal delivery (NVD). The second phase is validation using expert confirmation and process mining (PM). The third phase is the analysis of the causes of maternal dissatisfaction in labor. The fourth phase of the heuristics redesigning and improving the process, in which for the first time three new categories have been presented including hospital-based, patient-based, and medical technique-based results show BPM intervention effect can be far-reaching in improving patient care and optimizing operational efficiency.Originality/valueThis study is one of only a few to adopt a process-oriented perspective to show how BPM can be used in clinical processes and has specifically examined an essential clinical process, i.e. childbirth.Highlights Developing business process management (BMP) applications in a medical special process related to childbirth as interdisciplinary research.A combination of qualitative and quantitative techniques contains engineering software and management approaches for a Case study, Implementation of BPM lifecycle in the women's hospital in Iran, Tehran, for a clinical process, which is called, normal vaginal delivery (NVD) process for fetal expulsion normally.Modeling NVD clinical process and sub-process for the first time by BPMN2.0 notations in visual paradigm (VP) software and Validation of the made model with process mining (PM), by Disco process mining software. This was done through event log collection from HIS at the hospital.Improving the childbirth process by redesigning heuristics and Introducing two new categories special for clinical process improvement for the first time.Clinical process improvement heuristics obtained in this research are not consistent with the previous seven categories presented in previous studies such as Marlon Dumas' book. Therefore, we have introduced two new heuristics to redesign clinical processes compatible with medical centers, including hospital-based, patient-based, and medical technique-based.Providing a framework for clinical process modeling and improvement containing steps and tools.

A Method for Solving Problems in Acquiring Communication Logs on End Hosts

In the process of collecting evidence of activities and events in network devices, there are problems with content and storage, and we aim to solve the problems faced by network devices in network forensics. In this paper, we propose a simple method for solving the problems with content and storage in acquiring communication logs on end hosts, implement a sniffing tool that captures raw packets with communication event control, compare it with existing tools, and conduct experiments and considerations. Through these experiments and considerations, we confirmed that the proposed communication log acquisition method can be implemented on the end host, and that the problem can be solved by using a tool that implements the proposed method. Also, we confirmed that it can be applied to real-world communication log collection scenarios, and that it can coexist with existing systems and tools that collect communication logs.

A Process Mining Method for Inter-organizational Business Process Integration

Business process integration (BPI) allows organizations to connect and automate their business processes in order to deliver the right economic resources at the right time, place, and price. BPI requires the integration of business processes and their supporting systems across multiple autonomous organizations. However, such integration is complex and can face coordination complexities that occur during the resource exchanges between the partners’ processes. This article proposes a new method called Process Mining for Business Process Integration (PM4BPI) that helps process designers to perform BPI by creating new process models that cross the boundaries of multiple organizations from a collection of process event logs. PM4BPI uses federated process mining techniques to detect incompatibilities before the integration of the partners’ processes. Then, it applies process adaptation patterns to solve detected incompatibilities. Finally, organizations’ processes are merged to build a collaborative process model that crosses the organizations’ boundaries. Adapt WF_Net , an extension of a Petri net, is used to design inter-organizational business processes and adaptation patterns. An integrated care pathway is used as a case study to assess the applicability and effectiveness of the proposed method.

МЕТОД ТА ЗАСІБ МОНІТОРИНГУ БЕЗПЕКИ В КОМП'ЮТЕРНІЙ МЕРЕЖІ ЗАСОБАМИ SIEM

This work focuses on researching, analyzing, and enhancing methods and tools for security monitoring in computer networks. The study develops security monitoring tools and methods based on SIEM agents, improving the data normalization process from security logs. The research explores SIEM's role in the SIEM-EDR-NDR triad perspective to accelerate responses to network security threats. The investigation is grounded in the experiences of foreign companies and domestic banking networks. The interaction of SIEM-EDR-NDR components, forming a SOC triad, is examined. SIEM is utilized for centralized data analysis, including EDR and NDR, providing a comprehensive security overview. EDR detects and responds to threats on endpoints, complemented by NDR, extending SIEM analysis. This combination ensures effective response to cyberattacks, reducing "dwell time" until detection. The formulation of tasks for EDR components in the SIEM-EDR-NDR triad is discussed. Emphasis is placed on the importance of protecting endpoints at all stages of an attack, and effective strategies, such as traffic analysis, application control, and centralized cybersecurity management, are identified. Integration of EDR with existing security tools to create a comprehensive system is highlighted. Within the SIEM context, data processing stages, from log collection and normalization to event classification and correlation, are illuminated. The role of correlation in incident formation and investigation is underscored. An enhanced normalization scheme with an expanded agent deployment and key data processing stages within the SIEM system is proposed. The work addresses the improvement of event log processing in SIEM for effective network security monitoring and timely threat mitigation. The achieved goal accelerates threat response processes through SIEM agent integration, facilitating the organization and classification of information flows for prompt threat mitigation.

Insights into Editing and Revising in Writing Process Using Keystroke Logs

ABSTRACT Recent technology advances have enabled the collection of keystroke logs during writing, a non-intrusive approach to collecting writing process data that could provide insights into writers’ editing and revising behaviors in the writing process. Using keystroke logs from 761 middle school students in the US, this study investigated the association between the writers’ editing and revising behaviors, especially in-text editing and jump editing, and their scores and gender. The results showed different writing behavior patterns for participants of different ability and gender. The research findings on the writing processes went beyond character- and word-level activities and shed light on writers’ revising behaviors and related writing evaluating skills, which can potentially be used for automated writing interventions.

SigML++: Supervised Log Anomaly with Probabilistic Polynomial Approximation

Security log collection and storage are essential for organizations worldwide. Log analysis can help recognize probable security breaches and is often required by law. However, many organizations commission log management to Cloud Service Providers (CSPs), where the logs are collected, processed, and stored. Existing methods for log anomaly detection rely on unencrypted (plaintext) data, which can be a security risk. Logs often contain sensitive information about an organization or its customers. A more secure approach is always to keep logs encrypted (ciphertext). This paper presents “SigML++”, an extension of “SigML” for supervised log anomaly detection on encrypted data. SigML++ uses Fully Homomorphic Encryption (FHE) according to the Cheon–Kim–Kim–Song (CKKS) scheme to encrypt the logs and then uses an Artificial Neural Network (ANN) to approximate the sigmoid (σ(x)) activation function probabilistically for the intervals [−10,10] and [−50,50]. This allows SigML++ to perform log anomaly detection without decrypting the logs. Experiments show that SigML++ can achieve better low-order polynomial approximations for Logistic Regression (LR) and Support Vector Machine (SVM) than existing methods. This makes SigML++ a promising new approach for secure log anomaly detection.

Access Security Policy Generation for Containers as a Cloud Service

The rapid development of containerization technology comes with remarkable benefits for developers and operation teams. Container solutions allow building very flexible software infrastructures. Although lots of efforts have been devoted to enhancing containerization security, containerized environments still have a huge attack surface. Completely avoiding severe security issues have so far not been possible to achieve. However, the security problems due to vulnerabilities in for instance kernels, can be largely reduced if the container privileges are as restricted as possible. Mandatory access control is an efficient way to achieve this using for instance AppArmor. As manual AppArmor generation is tedious and error prone, automatic generation of protection profile is necessary. In previous research, a new tool for tight AppArmor profile generation was presented. In this paper we show how, in a system setting, such tool can be combined with container service testing, to provide a cloud based container service for automatic AppArmore profile generation. We present solutions for profile generation both for centrally collected and generated container logs and for log collection through a local agent. To evaluate the effectiveness of the profile generation service, we enable it on a widely used containerized web service to generate profiles and test them with real-world attacks. We generate an exploit database with 11 exploits harmful to the tested web service. These exploits are sifted from the 56 exploits of Exploit-db targeting the tested web service’s software. We launch these exploits on the web service protected by the profile. The results show that the proposed profile generation service improves the test web service’s overall security a lot compared to using the default Docker security profile. This together with the very user friendly and robust principle for setting up and running the service, clearly indicates that the approach is an important step for improving container security in real deployments.

Optimization of Security Information and Event Management (SIEM) Infrastructures, and Events Correlation / Regression Analysis for Optimal Cyber Security Posture

This work integrates logical and physical security processes, and simplifies the manageability of the security infrastructure. The process increases visibility to resources, which makes it easier to prevent security incidents, and provides a platform to manage the response and recovery after an incident occur. Log collection is the heart and soul of a SIEM. Log correlation is employed to identify particular sequences of log events from devices. The comparison between network level and host level events automatically perform initial validation that would not normally be performed. It considers movement of data between systems where it would not normally accounts logging on at unusual times or from unusual places, these may not generate specific security alerts, but can be much more easily spotted and flagged by a log correlation solution that sees everything in the environment. It shows some enhancements to event log normalization and significantly improves correlation rule execution. The event monitoring algorithm and SIEM correlation rules result in false positives or false negatives. Security managers, therefore, may waste time and resources that could be used to respond to real threats and assaults if there are too many false positives. This study hereby, strikes a compromise between lowering false positive alerts and not ignoring any potential abnormalities that could indicate a cyberattack when establishing SIEM correlation rules. In order to decide which data is pertinent and which data is irrelevant in an event pipeline, this research employs the use of filters. Through this examination, it can be inferred that the conditions are advantageous for promoting investment in the growth and enhancement of this technology as an essential component of industrial control systems with security operation centers, as well as offering cyber security management for small and medium-sized enterprises (SMEs) with restricted security expertise and capabilities.

Teachers’ and students’ experiences using the New Citizens tool: a study of belonging in culturally diverse classrooms

ABSTRACT This study explores how teachers and students from culturally diverse upper secondary classrooms experienced the potential for enhanced belonging through the use of question cards from New Citizens. The methods include the collection of self-reported reflection logs from teachers, a focus group interview with teachers and individual interviews with students. The findings indicate three main themes: 1) development of communication skills, trust, and safety in student‒student relationships, 2) students’ experiences of self-efficacy and self-worth, and 3) recognition of similarities and differences among students. These findings confirm the importance of student‒student relationships in upper secondary schools and show how the recognition of similarities and understanding were enhanced through the use of question cards. An implication of this study is that the further development of such tools could help teachers promote belonging in culturally diverse classrooms.

Analysis of Lapan Security Access Based on Firewall Log in Center Eight

Analysis of Network Security Access Space Agency Based Firewall Log In LAPAN Center. Supervisor LIPUR SUGIYANTA, Ph.D and Drs. BACHREN ZAINI, M.Pd. Increased Denial Of Service attacks, and other types of computer network interference, making security an important issue to be considered by all those who take advantage of the presence of the virtual world today. LAPAN Center system along with the information contained within is no exception contained attacks on access computer network security. Such attacks can be prevented at an early stage by analyzing at each access that will go on network security in LAPAN. This research at Analysis of Network Access to know and learn access of network security in firewall log LAPAN Center. This research was conducted with several stages of observation and interviews to employees of LAPAN Center infrastructure. After the stage of observation and interviews, the researchers conducted further data collection and analysis of firewall logs. The study states that the analysis of security access network based firewall log in LAPAN Center in the form of six messages that occur when a network will pass through the firewall. It can be concluded that by doing some analysis phases of network security access based firewall log in LAPAN Center produces a record of every incident inside the firewall logs. The study states that the analysis of security access network based firewall log in LAPAN Center in the form of six messages that occur when a network will pass through the firewall. It can be concluded that by doing some analysis phases of network security access based firewall log in LAPAN Center produces a record of every incident inside the firewall logs. The study states that the analysis of security access network based firewall log in LAPAN Center in the form of six messages that occur when a network will pass through the firewall. It can be concluded that by doing some analysis phases of network security access based firewall log in LAPAN Center produces a record of every incident inside the firewall logs.

Chidroid: A Mobile Android Application for Log Collection and Security Analysis in Healthcare and IoMT

The Internet of Medical Things (IoMT) is a growing trend that has led to the use of connected devices, known as the Internet of Health. The healthcare domain has been a target of cyberattacks, especially with a large number of IoMT devices connected to hospital networks. This factor could allow attackers to access patients’ personal health information (PHI). This research paper proposes Chidroid, an innovative mobile Android application that can retrieve, collect, and distribute logs from smart healthcare devices. The proposed approach enables the creation of datasets, allowing non-structured data to be parsed into semi-structured or structured data that can be used for machine learning and deep learning, and the proposed approach can serve as a universal policy-based tool to examine and analyse security issues in most recent Android versions by distributing logs for analysis. The validation tests demonstrated that the application could retrieve logs and system metrics from various assets and devices in an efficient manner. The collected logs can provide visibility into the device’s activities and help to detect and mitigate potential security risks. This research introduces a way to perform a security analysis on Android devices that uses minimal system resources and reduces battery consumption by pushing the analysis stage to the edge.

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Recently, with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic, the possibility of cyberattacks through endpoints has increased. Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats. In particular, because telecommuting, telemedicine, and tele-education are implemented in uncontrolled environments, attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information, and reports of endpoint attacks have been increasing considerably. Advanced persistent threats (APTs) using various novel variant malicious codes are a form of a sophisticated attack. However, conventional commercial antivirus and anti-malware systems that use signature-based attack detection methods cannot satisfactorily respond to such attacks. In this paper, we propose a method that expands the detection coverage in APT attack environments. In this model, an open-source threat detector and log collector are used synergistically to improve threat detection performance. Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks, as defined by MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response (GRR), an open-source threat detection tool, and Graylog, an open-source log collector. The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11% compared with that conventional methods.

A Hybrid Model for Detecting Phishing Attack Using Recommedation Decision Trees

Phishing performs by trying to trick the victim into accessing any computing information which looks original, then instructing them to send important data to unrestricted/unwanted privacy resource. For prevention, it is essential to develop a phishing detection system. Recent phishing detection systems are based on data mining and machine learning techniques. Most of the related work literature require collection of previous phishing attack logs, analyze them and create a list of such activities and block traffic from such sources. But this is a cumbersome task because the data size is very large, continue changing and dynamic nature. [1]. Instead of using single algorithm approach it would be better to use a hybrid approach. A hybrid approach would be better at mitigating phishing attacks because classification of different format of data is handled; whether the intruder want to use images or textural input to gain into another user system for phishing. Hybrid recommendation decision tress enhances any of machine learning and deep learning algorithms performance. The decision path of the model followed a series of if/else/then statements that connect the predicted class from the root of the tree through the branches of the tree to detect true positive and false negatives of phishing attempts. 10 decision trees were considered and used the features to train the recommendation decision regression model. The developed hybrid recommendation decision tree approach provided an overall true positive rate of the model of 92.28 % and false negative rate is 7.4%.

Characterization and distribution of Teredinidae assemblage in an estuary in Ceará, Brazil's Northeast.

Teredinids are bivalves mollusks considered the most abundant of invertebrates group of marine wood borers performing an important role in the mangrove environment. This study aimed to characterize the Teredinidae species from the Acaraú River estuary in Ceará and analyse the relationship between the mangrove plant structure and the distribution of Teredinidae, according to gradients estuaries: vertical (flooding) and horizontal (salinity). The collection of mangrove logs with Teredinidae happened in three places within the estuary (inner, median, and upper); in each area, three transects were traced in which three plots were lined off, and a total of 40 logs were collected. Teredinidae species were found and identified: Nausitora fusticula; Neoteredo reynei; Teredo turnerae; Teredo cf. bartschi; Bankia bipennata; Bankia gouldi; Lirodus massa and Lyrodus cf. bipartitus. The Lyrodus cf. bipartitus, Bankia gouldi, and Teredo cf. bartschi species were registered for the first time in Ceará. The distribution and species richness of Teredinidae were directly related to the vertical gradient (flooding) and heterogeneity of the mangrove forest habitat. The data presented here are essential for comprehending the mechanisms responsible for the distribution patterns of the Teredinidae species in the mangrove, contributing to biodiversity conservation in Ceará coastal zones.

Research of virtualized log management system in communication dispatching center of power grid

Logs happen every day. They record all kinds of events of current network and its management facilities. Communication dispatchers can use it to aware network or facility failures. In the purpose of improving awareness of communication network and its management facilities, this research is focusing on a log management system for different types of communication devices and network management servers. From log system architecture, to actual situations of log collection. Then, the distribution of system, from bare-metal servers to virtual machines. Most a virtualized log management system is deployed and tested in a dispatching center of power grid.

Feature Selection for Fault Detection and Prediction based on Event Log Analysis

Event logs are widely used for anomaly detection and prediction in complex systems. Existing log-based anomaly detection methods usually consist of four main steps: log collection, log parsing, feature extraction, and anomaly detection, wherein the feature extraction step extracts useful features for anomaly detection by counting log events. For a complex system, such as a lithography machine consisting of a large number of subsystems, its log may contain thousands of different events, resulting in abounding extracted features. However, when anomaly detection is performed at the subsystem level, analyzing all features becomes expensive and unnecessary. To mitigate this problem, we develop a feature selection method for log-based anomaly detection and prediction. Specifically, our method consists of three main modules: the Log Event Vectorization module that converts semi-structured log texts into time series; the Selection of Relevant Features module that leverages Kendall rank correlation and Granger causality test to select log events for fault detection and prediction; and the Removal of Redundant Features module that utilises Kendall rank correlation to reduce redundant log events. Results on 25 real-world datasets show that our method can detect and predict faults more accurately by selecting a small proportion of log events, thereby improving the effectiveness and efficiency.