Anomalous File System Activity Detection Through Temporal Association Rule Mining

M. Reza H. Iman; Pavel Chikul; Gert Jervan; Hayretdin Bahsi; Tara Ghasempouri

doi:10.5220/0011805100003405

Anomalous File System Activity Detection Through Temporal Association Rule Mining

M. Reza H. Iman, Pavel Chikul, Gert Jervan, Hayretdin Bahsi, Tara Ghasempouri

2023

Abstract

NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.

Download

Paper Citation

in Harvard Style

H. Iman M., Chikul P., Jervan G., Bahsi H. and Ghasempouri T. (2023). Anomalous File System Activity Detection Through Temporal Association Rule Mining. In Proceedings of the 9th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-624-8, pages 733-740. DOI: 10.5220/0011805100003405

in Bibtex Style

@conference{icissp23,
author={M. Reza H. Iman and Pavel Chikul and Gert Jervan and Hayretdin Bahsi and Tara Ghasempouri},
title={Anomalous File System Activity Detection Through Temporal Association Rule Mining},
booktitle={Proceedings of the 9th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2023},
pages={733-740},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011805100003405},
isbn={978-989-758-624-8},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 9th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Anomalous File System Activity Detection Through Temporal Association Rule Mining
SN - 978-989-758-624-8
AU - H. Iman M.
AU - Chikul P.
AU - Jervan G.
AU - Bahsi H.
AU - Ghasempouri T.
PY - 2023
SP - 733
EP - 740
DO - 10.5220/0011805100003405