Threat-hunting in Windows environment using host-based log data

dc.contributor.advisorGhorbani, Ali
dc.contributor.authorFatemi, Mohammad Rasool
dc.description.abstractIn a general log-based anomaly detection system, network, devices and host logs are all used together for analysis and the detection of anomalies. However, the ever-increasing volume of logs remains as one of the main challenges that anomaly detection tools face. This thesis proposes a host-based log analysis system that detects anomalies without using network logs to reduce the volume and to show the importance of host-based logs. A parser is implemented to parse and extract features from Sysmon logs and use them to perform detection methods on the data. The valuable information is successfully retained after two extensive volume reduction steps. An anomaly detection system is proposed and performed on different datasets with up to 55,000 events and over a million log messages. The system easily detects the attacks and malicious activities using the preserved logs. The analysis results demonstrate the significance of host-based logs in auditing, security monitoring, and intrusion detection systems.
dc.description.copyright©Mohammad Rasool Fatemi, 2020
dc.description.noteElectronic Only.
dc.format.extentxiii, 97 pages
dc.publisherUniversity of New Brunswick
dc.subject.disciplineComputer Science
dc.titleThreat-hunting in Windows environment using host-based log data
dc.typemaster thesis Science of Computer Science of New Brunswick


Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
4.16 MB
Adobe Portable Document Format