Investigative behavior profiling with one class SVM for computer forensics

Abstract

Behavior profiling of a user or a system is of great importance and is a non-trivial task of system forensic experts. User profiling information is very much useful for forensic investigators by monitoring and collecting significant changes in user's behavior based on his/her computer usage patterns. Traditional investigation mechanisms are based on command line system events collected using log files. In a GUI based investigative profiling system, most of the user activities are performed using either mouse movements and clicks or a combination of mouse movements and keystrokes. The command line data cannot capture the complete GUI event behavior of the users hence it is insufficient to perform any forensic analysis in GUI based systems. Presently, there is no frame work available to capture the GUI based user behavior for forensic investigation. We have proposed a novel approach to capture the GUI based user behavior using a logging tool. Our experimentation results shows that, the GUI based investigative profiling forensic can give more accurate and leads to identify the culprits. We have shown how one class SVM is less overhead in terms of training and testing instances for computer forensic compared to two class SVM. © 2011 Springer-Verlag.