• 한국데이터정보과학회:학술대회논문집
• /
• 2004.04a
• /
• pp.225-236
• /
• 2004

Every web server comprises a repository of all actions and events that occur on the server. Server logs can be used to quantify user traffic. Intelligent analysis of this data provides a statistical baseline that can be used to determine server load, failed requests and other events that throw light on site usage patterns. This information provides valuable leads on marketing and site management activities. In this paper, we propose a method of design for log analysis system using RTMA(realtime monitoring and analysis) technique.

• 제어로봇시스템학회:학술대회논문집
• /
• 2005.06a
• /
• pp.1602-1605
• /
• 2005

An audit tracer is one of the last ways to defend an attack for network equipments. Firewall and IDS which block off an attack in advance are active way and audit tracing is passive way which analogizes a type and a situation of an attack from log after an attack. This paper explains importance of audit trace function in network equipment for security and defines events which we must leave by security audit log. We design and implement security audit system for secure router. This paper explains the reason why we separate general audit log and security audit log.

• Proceedings of the KSR Conference
• /
• 2007.05a
• /
• pp.1174-1179
• /
• 2007

Train collision and derailment are types of accident that happen with low probability of occurrence but could lead to disastrous consequences including multiple life losses. Risk assessment of the accidents are typically performed per their hazardous events, which are defined as events that cause accidents. This study classifies the train collision and derailment based on the relevant hazardous event, and investigates the causes related to the hazardous events. Finally, the relation of the causes, hazardous events, and the accidents are defined.

• Journal of Internet Computing and Services
• /
• v.11 no.6
• /
• pp.73-86
• /
• 2010

In proportion to the rapid increase in the number of Web users, web attack techniques are also getting more sophisticated. Therefore, we need not only to detect Web attack based on the log analysis but also to extract web attack events from audit information such as Web firewall, Web IDS and system logs for detecting abnormal Web behaviors. In this paper, web attack detection system was designed and implemented based on integrated web audit data for detecting diverse web attack by generating integrated log information generated from W3C form of IIS log and web firewall/IDS log. The proposed system analyzes multiple web sessions and determines its correlation between the sessions and web attack efficiently. Therefore, proposed system has advantages on extracting the latest web attack events efficiently by designing and implementing the multiple web session and log correlation analysis actively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.263-279
• /
• 2024

With the increasing trend of Cloud migration, security threats in the Cloud computing environment have also experienced a significant increase. Consequently, the importance of efficient incident investigation through log data analysis is being emphasized. In Cloud environments, the diversity of services and ease of resource creation generate a large volume of log data. Difficulties remain in determining which events to investigate when an incident occurs, and examining all the extensive log data requires considerable time and effort. Therefore, a systematic approach for efficient data investigation is necessary. CloudTrail, the Amazon Web Services(AWS) logging service, collects logs of all API call events occurring in an account. However, CloudTrail lacks insights into which logs to analyze in the event of an incident. This paper proposes an automated analysis framework that integrates Cloud Matrix and event information for efficient incident investigation. The framework enables simultaneous examination of user behavior log events, event frequency, and attack information. We believe the proposed framework contributes to Cloud incident investigations by efficiently identifying critical events based on the ATT&CK Framework.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2023.11a
• /
• pp.304-305
• /
• 2023

드론 비행 후 추출할 수 있는 Log 파일은 드론의 비행 정보를 확인할 수 있는 데이터이다. 이 데이터를 Log 분석기를 사용하여 그래프 형태로 시각화 하게 되면 비행 속도, 거리, 높이 등 다양한 비행데이터를 분석하기에 용이하다. 또한 Log 분석 자료에는 기체운용 중 발생하는 안전 이슈에 대한 기록도 포함되어 있어 드론의 사고 또는 고장유무를 판단할 때에 중요한 자료로서 활용된다. 그러므로 데이터분석 시에 안전 이슈 발생 시점과 연관지어 데이터를 분석하는 것이 보다 효과적이다. 그러나 상용 서비스에서는 분석데이터와 안전 이슈 데이터를 함께 보는 방법은 제공되지 않는다. 따라서 본 논문에서는 기존의 Log 분석 시스템에 안전 이슈 정보를 추가하여 볼 수 있는 방법을 제시하여 드론 운용자가 로그분석을 보다 효과적으로 할 수 있는 방법을 제안하고자 한다.

• Convergence Security Journal
• /
• v.15 no.5
• /
• pp.37-45
• /
• 2015

In IT system, logs are an indicator of the previous key events. Therefore, when a security problem occurs in the system, logs are used to find evidence and solution to the problem. So, it is important to ensure the integrity of the stored logs. Existing schemes have been proposed to detect tampering of the stored logs after the key has been exp osed. Existing schemes are designed separately in terms of log transmission and storage. We propose a new log sys tem for integrating log transmission with storage. In addition, we prove the security requirements of the proposed sc heme and computational efficiency with existing schemes.

• Proceedings of the Korea Water Resources Association Conference
• /
• 2019.05a
• /
• pp.390-390
• /
• 2019

Application of Hidden Markov Model (HMM) to the hydrological time series would be an innovative way to identify extreme rainfall events in a series. Even though the optimum number of hidden states can be identify based on maximizing the log-likelihood or minimizing Bayesian information criterion. However, occasionally value for the log-likelihood keep increasing with the state which gives false identification of the optimum hidden state. Therefore, this study attempts to identify optimum number of hidden states for Colombo station, Sri Lanka as fundamental approach to identify frequency and percentage of extreme rainfall events for the station. Colombo station consisted of daily rainfall values between 1961 and 2015. The representative station is located at the wet zone of Sri Lanka where the major rainfall season falls on May to September. Therefore, HMM was ran for the season of May to September between 1961 and 2015. Results showed more or less similar log-likelihood which could be identified as maximum for states between 4 to 7. Therefore, measure of central tendency (i.e. mean, median, mode, standard deviation, variance and auto-correlation) for observed and simulated daily rainfall series was carried to each state to identify optimum state which could give statistically compatible results. Further, the method was applied for the second major rainfall season (i.e. October to February) for the same station as a comparison.

• Journal of Information Processing Systems
• /
• v.17 no.4
• /
• pp.772-786
• /
• 2021

The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.

• Convergence Security Journal
• /
• v.15 no.7
• /
• pp.85-96
• /
• 2015

In IT system, logs are an indicator of the previous key events. Therefore, when a security problem occurs in the system, logs are used to find evidence and solution to the problem. So, it is important to ensure the integrity of the stored logs. Existing schemes have been proposed to detect tampering of the stored logs after the key has been exp osed. Existing schemes are designed separately in terms of log transmission and storage. We propose a new log sys tem for integrating log transmission with storage. In addition, we prove the security requirements of the proposed sc heme and computational efficiency with existing schemes.