Multi-Step Scenario Matching Based on Unification
Panichprecha, Sorot, Zimmermann, Jacob, Mohay, George M., & Clark, Andrew J. (2007) Multi-Step Scenario Matching Based on Unification. In Valli, Craig & Woodward, Andrew (Eds.) 5th Australian Digital Forensics Conference, 3rd December, 2007, Perth, Western Australia.
This paper presents an approach to multi-step scenario specification and matching, which aims to address some of the issues and problems inherent in to scenario specification and event correlation found in most previous work. Our approach builds upon the unification algorithm which we have adapted to provide a seamless, integrated mechanism and framework to handle event matching, filtering, and correlation. Scenario specifications using our framework need to contain only a definition of the misuse activity to be matched. This characteristic differentiates our work from most of the previous work which generally requires scenario specifications also to include additional information regarding how to detect the misuse activity. In this paper we present a prototype implementation which demonstrates the effectiveness of the unification-based approach and our scenario specification framework. Also, we evaluate the practical usability of the approach.
Impact and interest:
Citation counts are sourced monthly from and citation databases.
These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.
|Item Type:||Conference Paper|
|Additional Information:||The contents of this conference can be freely accessed online via the conference's web page (see hypertext link).|
|Keywords:||Computer Forensics, Event Correlation, Multi, step Scenario, Signature Matching, Event Representation|
|Subjects:||Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Format not elsewhere classified (080499)|
|Divisions:||Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
|Copyright Owner:||Copyright 2007 (The authors)|
|Copyright Statement:||The author/s assign SCISSEC & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a non-exclusive license to SCISSEC & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors.|
|Deposited On:||05 Aug 2008 00:00|
|Last Modified:||29 Feb 2012 13:33|
Repository Staff Only: item control page