Customized access log classifier for cybersecurity incident detection

Authors

DOI:

https://doi.org/10.36561/ING.18.7

Keywords:

Filtering, Cybersecurity response, CLF, Cachine learning

Abstract

The number of attacks on government websites has escalated in the last years. In order to assist in the detection process conducted by cybersecurity analysts, this document suggests implementing machine learning techniques over web server access logs. The overall objective is to optimize the detection time using a customized classifier which selects traces corresponding to anomalous activity. Specifically, web server combined log format (CLF) access logs coded as real vectors are an input to a weighted K-NN nearest neighbors’ model. The methodology was tested on datasets and premises provided by the CERTuy (National Cybersecurity Event Response Team) and the SOC (Security Operations Center). According to evaluations 82% of cybersecurity offenses have been detected, 80% of normal behavior has been filtered and the reduction time has been reduced from 13 hours to 15 minutes.

Downloads

Download data is not yet available.

Downloads

Published

2020-06-29

How to Cite

[1]
M. Pérez del Castillo, G. Rial, R. Sotelo, and M. Gurméndez, “Customized access log classifier for cybersecurity incident detection”, Memoria investig. ing. (Facultad Ing., Univ. Montev.), no. 18, pp. 47–52, Jun. 2020.

Issue

No. 18 (2020): Special Edition ANIU Awards

Section

Articles
Crossref
Scopus
Google Scholar
Europe PMC

Most read articles by the same author(s)

1 2 > >>