The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

An empirical study of Automatic Event Reconstruction Systems

Download

Download PDF Document
PDF

Author

Sundararaman Jeyaraman, Mike Atallah

Tech report number

CERIAS TR 2006-20

Entry type

article

Abstract

Reconstructing the sequence of computer events that led to a particular event is an essential part of the digital investigation process. The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan Horse defense. In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness of a suite of such event reconstruction techniques. We quantify (as applicable) the rates of false positives, false negatives, and scalability both in terms of computational burden and memory-usage. Some of our findings are quite surprising in the sense of not matching a priori expectations, and whereas other findings qualitatively match the a priori expectations they were never before quantitatively put to the test to determine the boundaries of their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96\%).

Download

PDF

URL

http://dune.rcac.purdue.edu/paper.pdf

Institution

CERIAS

Key alpha

Author

School

Purdue University

Affiliation

CERIAS, Department of Computer Sciences

Publication Date

2006-06-16

Subject

Intrusion Analysis, Event Reconstrucion, Forensics

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.