In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
6th International Workshop on Digital Forensics and Incident Analysis (WDFIA 2011)
Title: LUARM – An audit engine for insider misuse detection
Author(s): George Magklaras, Steven Furnell, Maria Papadaki
Keywords: insiders, misuse, detection, auditing, logging, forensics, Linux
Abstract: 'Logging User Actions in Relational Mode' (LUARM) is an open source audit engine for Linux, although it can be easily ported to other Unix based systems. It provides a near real-time snapshot of a number of user action data such as file access, program execution and network endpoint user activities, all organized in easily searchable relational tables. LUARM attempts to solve two fundamental problems of the insider IT misuse domain. The first concerns the lack of insider misuse case data repositories that could be used by post-case forensic examiners to aid an incident investigation. The second problem relates to how information security researchers can enhance their ability to specify accurately insider threats at system level. This paper presents LUARM's design perspectives and a 'post mortem' case study of an insider IT misuse incident. The results show that the prototype audit engine has a good potential to provide a valuable insight into the way insider IT misuse incidents manifest on IT systems and can be a valuable complement to forensic investigators of IT misuse incidents.
Download count: 1796
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.