@MASTERSTHESIS\{IMM2005-03589,
    author       = "J. P. Petersen",
    title        = "Forensic examination of log files",
    year         = "2005",
    keywords     = "Network Forensics, Log Analysis, NetFlow, Probing, Denial of Service, Flow Classification, Feature Extraction, Traffic Aggregation",
    school       = "Informatics and Mathematical Modelling, Technical University of Denmark, {DTU}",
    address      = "Richard Petersens Plads, Building 321, {DK-}2800 Kgs. Lyngby",
    type         = "",
    note         = "Supervised by Assoc. Prof. Robin Sharp",
    url          = "http://www2.compute.dtu.dk/pubdb/pubs/3589-full.html",
    abstract     = "Forensic examination of logs plays a big role in modern computer security, but it has become a time consuming and daunting task due to the sheer amount of data involved. It is therefore necessary to make specialized tools to aid the investigation, so that the digital evidence can be extracted in a fast and efficient manner.

In this thesis a system is developed that can identify malicious tra c in router logs on a log entry level. This is done using specialized feature extractors and a classifier based on a neural network. The system is developed for Network logs, and problem associated with  ows are investigated, such as how unidirectional  flows should be handled. As a proof of concept, the system is developed to detect host scans. This is done using real router log data, and log data derived from the 1999 {DARPA} Intrusion Detection Evaluation data set. The system could easily be extended to detect other kinds of malicious traffic, such as Denial of Service attacks and probes other than the host scan. New contributions in this thesis are use of artificial neural networks to classify router logs, classification of each log entry, and development of feature extractors for Netflow logs."
}