Identifying irregularities in security event logs through an object-based Chi-squared test of independence

A novel technique for identifying irregular event log entries is presented in this paper along with the implementation in a Microsoft Windows-based environment. The motivation behind this research is to identify irregular activity in a system whilst minimising any requirement on expert knowledge, in addition to saving investigative time and computing resources. As the developed solution utilises the standard Microsoft format for event logs, it can work with both live systems, as well as events extracted and stored for off-site analysis. The solution consists of two major steps: first, convert the event logs into objects-based model and second, perform statistical analysis using the Chi-squared (χ2) test of independence and classify mean χ2 values into discrete categories using Jenks natural breaks method. The event logs entries, which failed the test of dependence are considered as irregular events. It is also shown that the proposed solution poses an advantage over primitive frequency analysis methods as it uses object relationships among event log entries to determine irregularities for locating anomalous activities. Empirical analysis of the solution is performed using event logs data from 20 machines and shows promising results by correctly identifying irregular events. Further experimental analysis involving the insertion of synthetic irregular events results in an average accuracy of 85%.