Anomalous File System Activity Detection Through Temporal Association Rule Mining

M. Reza H. Iman; Pavel Chikul; Gert Jervan; Hayretdin Bahsi; Tara Ghasempouri

doi:10.5220/0011805100003405

Anomalous File System Activity Detection Through Temporal Association Rule Mining

M. Reza H. Iman, Pavel Chikul, Gert Jervan, Hayretdin Bahsi, Tara Ghasempouri

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.

Original language	English (US)
Title of host publication	ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy
Editors	Paolo Mori, Gabriele Lenzini, Steven Furnell
Publisher	Science and Technology Publications, Lda
Pages	733-740
Number of pages	8
ISBN (Print)	9789897586248
DOIs	https://doi.org/10.5220/0011805100003405
State	Published - 2023
Externally published	Yes
Event	9th International Conference on Information Systems Security and Privacy, ICISSP 2023 - Lisbon, Portugal Duration: Feb 22 2023 → Feb 24 2023

Publication series

Name	International Conference on Information Systems Security and Privacy
ISSN (Electronic)	2184-4356

Conference

Conference	9th International Conference on Information Systems Security and Privacy, ICISSP 2023
Country/Territory	Portugal
City	Lisbon
Period	2/22/23 → 2/24/23

Keywords

Anomaly Detection
Association Rule Mining
Forensics
NTFS
Pattern Recognition
USN Journal

ASJC Scopus subject areas

Computer Science (miscellaneous)
Information Systems

Access to Document

10.5220/0011805100003405

Cite this

Iman, M. R. H., Chikul, P., Jervan, G., Bahsi, H., & Ghasempouri, T. (2023). Anomalous File System Activity Detection Through Temporal Association Rule Mining. In P. Mori, G. Lenzini, & S. Furnell (Eds.), ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy (pp. 733-740). (International Conference on Information Systems Security and Privacy). Science and Technology Publications, Lda. https://doi.org/10.5220/0011805100003405

Anomalous File System Activity Detection Through Temporal Association Rule Mining. / Iman, M. Reza H.; Chikul, Pavel; Jervan, Gert et al.
ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy. ed. / Paolo Mori; Gabriele Lenzini; Steven Furnell. Science and Technology Publications, Lda, 2023. p. 733-740 (International Conference on Information Systems Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Iman, MRH, Chikul, P, Jervan, G, Bahsi, H & Ghasempouri, T 2023, Anomalous File System Activity Detection Through Temporal Association Rule Mining. in P Mori, G Lenzini & S Furnell (eds), ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy. International Conference on Information Systems Security and Privacy, Science and Technology Publications, Lda, pp. 733-740, 9th International Conference on Information Systems Security and Privacy, ICISSP 2023, Lisbon, Portugal, 2/22/23. https://doi.org/10.5220/0011805100003405

Iman MRH, Chikul P, Jervan G, Bahsi H, Ghasempouri T. Anomalous File System Activity Detection Through Temporal Association Rule Mining. In Mori P, Lenzini G, Furnell S, editors, ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy. Science and Technology Publications, Lda. 2023. p. 733-740. (International Conference on Information Systems Security and Privacy). doi: 10.5220/0011805100003405

Iman, M. Reza H. ; Chikul, Pavel ; Jervan, Gert et al. / Anomalous File System Activity Detection Through Temporal Association Rule Mining. ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy. editor / Paolo Mori ; Gabriele Lenzini ; Steven Furnell. Science and Technology Publications, Lda, 2023. pp. 733-740 (International Conference on Information Systems Security and Privacy).

@inproceedings{489b047e14984eb9bd4e1b72557d3736,

title = "Anomalous File System Activity Detection Through Temporal Association Rule Mining",

abstract = "NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.",

keywords = "Anomaly Detection, Association Rule Mining, Forensics, NTFS, Pattern Recognition, USN Journal",

author = "Iman, {M. Reza H.} and Pavel Chikul and Gert Jervan and Hayretdin Bahsi and Tara Ghasempouri",

note = "Publisher Copyright: {\textcopyright} 2023 by SCITEPRESS – Science and Technology Publications, Lda.; 9th International Conference on Information Systems Security and Privacy, ICISSP 2023 ; Conference date: 22-02-2023 Through 24-02-2023",

year = "2023",

doi = "10.5220/0011805100003405",

language = "English (US)",

isbn = "9789897586248",

series = "International Conference on Information Systems Security and Privacy",

publisher = "Science and Technology Publications, Lda",

pages = "733--740",

editor = "Paolo Mori and Gabriele Lenzini and Steven Furnell",

booktitle = "ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy",

address = "Portugal",

}

TY - GEN

T1 - Anomalous File System Activity Detection Through Temporal Association Rule Mining

AU - Iman, M. Reza H.

AU - Chikul, Pavel

AU - Jervan, Gert

AU - Bahsi, Hayretdin

AU - Ghasempouri, Tara

PY - 2023

Y1 - 2023

N2 - NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.

AB - NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.

KW - Anomaly Detection

KW - Association Rule Mining

KW - Forensics

KW - NTFS

KW - Pattern Recognition

KW - USN Journal

UR - http://www.scopus.com/inward/record.url?scp=85176318771&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85176318771&partnerID=8YFLogxK

U2 - 10.5220/0011805100003405

DO - 10.5220/0011805100003405

M3 - Conference contribution

AN - SCOPUS:85176318771

SN - 9789897586248

T3 - International Conference on Information Systems Security and Privacy

SP - 733

EP - 740

BT - ICISSP 2023 - Proceedings of the 9th International Conference on Information Systems Security and Privacy

A2 - Mori, Paolo

A2 - Lenzini, Gabriele

A2 - Furnell, Steven

PB - Science and Technology Publications, Lda

T2 - 9th International Conference on Information Systems Security and Privacy, ICISSP 2023

Y2 - 22 February 2023 through 24 February 2023

ER -

Anomalous File System Activity Detection Through Temporal Association Rule Mining

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this