Publication details

Home Publications Publication details

LUARM – An Audit Engine for Insider Misuse Detection
Magklaras GB, Furnell SM, Papadaki M
Proceedings of the Sixth International Workshop on Digital Forensics & Incident Analysis (WDFIA 2011), London, UK, ISBN: 978-1-84102-285-7, pp133-148, 2011
Can be ordered on-line.
Download links:  Download PDF

'Logging User Actions in Relational Mode' (LUARM) is an open source audit engine for
Linux. It provides a near real-time snapshot of a number of user action data such as file access,
program execution and network endpoint user activities, all organized in easily searchable
relational tables. LUARM attempts to solve two fundamental problems of the insider IT
misuse domain. The first concerns the lack of insider misuse case data repositories that could
be used by post-case forensic examiners to aid an incident investigation. The second problem
relates to how information security researchers can enhance their ability to specify accurately
insider threats at system level. This paper presents LUARM's design perspectives and a 'post
mortem' case study of an insider IT misuse incident. The results show that the prototype audit
engine has a good potential to provide a valuable insight into the way insider IT misuse
incidents manifest on IT systems and can be a valuable complement to forensic investigators
of IT misuse incidents.

Magklaras GB, Furnell SM, Papadaki M