Home // ICIMP 2016, The Eleventh International Conference on Internet Monitoring and Protection // View article

Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs

Authors:
María del Carmen Prudente Tixteco
Lidia Prudente Tixteco
Gabriel Sánchez Pérez
Linda Karina Toscano Medina

Keywords: indicators of compromise; windows event logs; intrusion detection

Abstract:
Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows® operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.

Pages: 29 to 37

Copyright: Copyright (c) IARIA, 2016

Publication date: May 22, 2016

Published in: conference

ISSN: 2308-3980

ISBN: 978-1-61208-475-6

Location: Valencia, Spain

Dates: from May 22, 2016 to May 26, 2016