Analysis of Computer Audit Data to Create Indicators of Compromise for Intrusion Detection

Authors

Steven Millett, Southern Methodist UniversityFollow
Michael Toolin, Southern Methodist UniversityFollow
Justin Bates, Colorado Technical UniversityFollow

Abstract

Network security systems are designed to identify and, if possible, prevent unauthorized access to computer and network resources. Today most network security systems consist of hardware and software components that work in conjunction with one another to present a layered line of defense against unauthorized intrusions. Software provides user interactive layers such as password authentication, and system level layers for monitoring network activity. This paper examines an application monitoring network traffic that attempts to identify Indicators of Compromise (IOC) by extracting patterns in the network traffic which likely corresponds to unauthorized access. Typical network log data and construct indicators are analyzed to predict network intrusion. Based on these indicators, a fitted model was created demonstrating which indicators best predict an intrusion event. In the end we found that XGBoost provided the best accuracy and f-score for our model fit. The IOCs that best predicted an intrusion event were associated with newly recorded events, network traffic, and DNS events.

Recommended Citation

Millett, Steven; Toolin, Michael; and Bates, Justin (2019) "Analysis of Computer Audit Data to Create Indicators of Compromise for Intrusion Detection," SMU Data Science Review: Vol. 2: No. 1, Article 16.
Available at: https://scholar.smu.edu/datasciencereview/vol2/iss1/16

Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License