Authors:
M. Reza H. Iman
1
;
Pavel Chikul
2
;
Gert Jervan
1
;
Hayretdin Bahsi
2
and
Tara Ghasempouri
1
Affiliations:
1
Department of Computer Systems, Tallinn University of Technology, Tallinn, Estonia
;
2
Centre for Digital Forensics and Cyber Security, Tallinn University of Technology, Tallinn, Estonia
Keyword(s):
NTFS, USN Journal, Forensics, Pattern Recognition, Association Rule Mining, Anomaly Detection.
Abstract:
NTFS USN Journal tracks all the changes in the files, directories, and streams of a volume for various reasons including backup. Although this data source has been considered a significant artifact for digital forensic investigations, the utilization of this source for automatic malicious behavior detection is less explored. This paper applies temporal association rule mining to data obtained from the NTFS USN Journal for malicious behavior detection. The proposed method extracts association rules from two data sources, the first one with normal behavior and the second one with a malicious one. The obtained rules, which have embedded the sequence of information, are compared with respect to their support and confidence values to identify the ones indicating malicious behavior. The method is applied to a ransomware case to demonstrate its feasibility in finding relevant rules based on USN journal activities.