Browser unable to execute script; please use the site map to navigate the site.

Using Self-Organising Maps for Anomalous Behaviour Detection in a Computer Forensic Investigation

Fei, Eloff, Olivier, Tillwick, and Venter

2005

(Citation)Citation information

B. K. L. Fei, J. H. P. Eloff, M. S. Olivier, H. M. Tillwick, and H. S. Venter. “Using Self-Organising Maps for Anomalous Behaviour Detection in a Computer Forensic Investigation”. In: Proceedings of the Fifth Annual Information Security South Africa Conference (ISSA2005). Ed. by H. S. Venter, J. H. P. Eloff, L. Labuschagne, and M. M. Eloff. Research in progress paper, published electronically. Sandton, South Africa, June 2005

(Abstract)Abstract

The dramatic increase in crime relating to the Internet and computers has caused a growing need for computer forensics. Computer forensic tools have been developed to assist computer forensic investigators in conducting a proper investigation into digital crimes. In general, the bulk of the computer forensic tools available on the market permit investigators to analyse data that has been gathered from a computer system. However, current state-of-the-art computer forensic tools simply cannot handle large volumes of data in an efficient manner. With the advent of the Internet, many employees have been given access to new and more interesting possibilities via their desktop. Consequently, excessive Internet usage for non-job purposes and even blatant misuse of the Internet (such as employees accessing Web sites that promote pornography and other illegal activities) have become a problem in many organisations. Since storage media are steadily growing in size, the process of analysing multiple computer systems during a digital investigation can easily consume an enormous amount of time. Identifying a single suspicious computer from a set of candidates can therefore reduce human processing time and/or reduce the monetary costs involved in gathering evidence.

The focus of this paper is to demonstrate how, in a digital investigation, computer forensic tools and the self-organising map (SOM) — an unsupervised neural network model — can aid computer forensic investigators to determine anomalous behaviours (or activities) among employees (or computer systems) in a far more efficient manner. By analysing the different SOMs (one for each computer system), anomalous behaviours are identified and investigators are assisted to conduct the analysis more efficiently. The paper will demonstrate how the easy visualisation of the SOM enhances the ability of the investigators to interpret and explore the data generated by computer forensic tools so as to determine anomalous behaviours.

(Full text)Full text

A pre- or postprint of the publication is available at https://mo.co.za/open/behaviourdetection.pdf.

(BibTeX record)BibTeX reference

@inproceedings(behaviourdetection,
author={Bennie K L Fei and Jan H P Eloff and Martin S Olivier and Heiko M Tillwick and Hein S Venter},
title={Using Self-Organising Maps for Anomalous Behaviour Detection in a Computer Forensic Investigation},
booktitle={Proceedings of the Fifth Annual Information Security South Africa Conference (ISSA2005)},
editor={Hein S Venter and Jan H P Eloff and Les Labuschagne and Mariki M Eloff},
address={Sandton, South Africa},
month=jun,
year={2005},
note={Research in progress paper, published electronically} )