Host or endpoint event logs in a computer network are a valuable and under-utilized data source for network security. These logs allow analysts to both understand normal behavior across the network and to replay details of an intrusion. However, they are also a complex data source. Given the vast number of logged events, human analysts struggle to discover interesting relationships between entries and to find useful log entries amid a huge number of innocuous entries.
One important research problem associated with these data is identifying user credential theft or misuse. Various approaches to modelling user behaviour in a computer network will be presented.
|