Log Analysis Techniques using Clustering in Network Forensics

TL;DR

This paper presents a clustering-based framework using K-means to analyze network logs for identifying and categorizing internet attacks, aiding forensic investigations efficiently.

Contribution

It introduces a novel framework that applies K-means clustering to log files for attack classification in network forensics.

Findings

Logs can be effectively grouped into attack categories

The framework assists investigators in attack source identification

Clustering improves the speed of forensic analysis

Abstract

Internet crimes are now increasing. In a row with many crimes using information technology, in particular those using Internet, some crimes are often carried out in the form of attacks that occur within a particular agency or institution. To be able to find and identify the types of attacks, requires a long process that requires time, human resources and utilization of information technology to solve these problems. The process of identifying attacks that happened also needs the support of both hardware and software as well. The attack happened in the Internet network can generally be stored in a log file that has a specific data format. Clustering technique is one of methods that can be used to facilitate the identification process. Having grouped the data log file using K-means clustering technique, then the data is grouped into three categories of attack, and will be continued with the forensic process that can later be known to the source and target of attacks that exist in the network. It is concluded that the framework proposed can help the investigator in the trial process.