Threat-hunting in Windows environment using host-based log data

Thumbnail Image



Journal Title

Journal ISSN

Volume Title


University of New Brunswick


In a general log-based anomaly detection system, network, devices and host logs are all used together for analysis and the detection of anomalies. However, the ever-increasing volume of logs remains as one of the main challenges that anomaly detection tools face. This thesis proposes a host-based log analysis system that detects anomalies without using network logs to reduce the volume and to show the importance of host-based logs. A parser is implemented to parse and extract features from Sysmon logs and use them to perform detection methods on the data. The valuable information is successfully retained after two extensive volume reduction steps. An anomaly detection system is proposed and performed on different datasets with up to 55,000 events and over a million log messages. The system easily detects the attacks and malicious activities using the preserved logs. The analysis results demonstrate the significance of host-based logs in auditing, security monitoring, and intrusion detection systems.