Visible to the public Biblio

Found 1683 results

Filters: First Letter Of Last Name is Z  [Clear All Filters]
2009
Zhang, H., Ma, J., Wang, Y., Pei, Q..  2009.  An Active Defense Model and Framework of Insider Threats Detection and Sense. 2009 Fifth International Conference on Information Assurance and Security. 1:258—261.
Insider attacks is a well-known problem acknowledged as a threat as early as 1980s. The threat is attributed to legitimate users who take advantage of familiarity with the computational environment and abuse their privileges, can easily cause significant damage or losses. In this paper, we present an active defense model and framework of insider threat detection and sense. Firstly, we describe the hierarchical framework which deal with insider threat from several aspects, and subsequently, show a hierarchy-mapping based insider threats model, the kernel of the threats detection, sense and prediction. The experiments show that the model and framework could sense the insider threat in real-time effectively.
2010
Zadig, Sean M., Tejay, Gurvirender.  2010.  Securing IS assets through hacker deterrence: A case study. 2010 eCrime Researchers Summit. :1–7.
Computer crime is a topic prevalent in both the research literature and in industry, due to a number of recent high-profile cyber attacks on e-commerce organizations. While technical means for defending against internal and external hackers have been discussed at great length, researchers have shown a distinct preference towards understanding deterrence of the internal threat and have paid little attention to external deterrence. This paper uses the criminological thesis known as Broken Windows Theory to understand how external computer criminals might be deterred from attacking a particular organization. The theory's focus upon disorder as a precursor to crime is discussed, and the notion of decreasing public IS disorder to create the illusion of strong information systems security is examined. A case study of a victim e-commerce organization is reviewed in light of the theory and implications for research and practice are discussed.
Zhang, T., Zhao, P..  2010.  Insider Threat Identification System Model Based on Rough Set Dimensionality Reduction. 2010 Second World Congress on Software Engineering. 2:111—114.
Insider threat makes great damage to the security of information system, traditional security methods are extremely difficult to work. Insider attack identification plays an important role in insider threat detection. Monitoring user's abnormal behavior is an effective method to detect impersonation, this method is applied to insider threat identification, to built user's behavior attribute information database based on weights changeable feedback tree augmented Bayes network, but data is massive, using the dimensionality reduction based on rough set, to establish the process information model of user's behavior attribute. Using the minimum risk Bayes decision can effectively identify the real identity of the user when user's behavior departs from the characteristic model.
2012
Zhenqi Huang, University of Illinois at Urbana-Champaign, Sayan Mitra, University of Illinois at Urbana-Champaign, Geir Dullerud, University of Illinois at Urbana-Champaign.  2012.  Differentially Private Iterative Synchronous Consensus. Workshop on Privacy in the Electronic Society (WPES 2012).

The iterative consensus problem requires a set of processes or agents with different initial values, to interact and update their states to eventually converge to a common value. Pro- tocols solving iterative consensus serve as building blocks in a variety of systems where distributed coordination is re- quired for load balancing, data aggregation, sensor fusion, filtering, and synchronization. In this paper, we introduce the private iterative consensus problem where agents are re- quired to converge while protecting the privacy of their ini- tial values from honest but curious adversaries. Protecting the initial states, in many applications, suffice to protect all subsequent states of the individual participants.

We adapt the notion of differential privacy in this setting of iterative computation. Next, we present (i) a server-based and (ii) a completely distributed randomized mechanism for solving differentially private iterative consensus with adver- saries who can observe the messages as well as the internal states of the server and a subset of the clients. Our analysis establishes the tradeoff between privacy and the accuracy.

Zoe McCarthy, University of Illinois at Urbana-Champaign, Timothy Bretl, University of Illinois at Urbana-Champaign.  2012.  Mechanics and Manipulation of Planar Elastic Kinematic Chains. IEEE International Conference on Robotics and Automation.

This paper presents a control strategy based on model learning for a self-assembled robotic “swimmer”. The swimmer forms when a liquid suspension of ferro-magnetic micro-particles and a non-magnetic bead are exposed to an alternating magnetic field that is oriented perpendicular to the liquid surface. It can be steered by modulating the frequency of the alternating field. We model the swimmer as a unicycle and learn a mapping from frequency to forward speed and turning rate using locally-weighted projection regression. We apply iterative linear quadratic regulation with a receding horizon to track motion primitives that could be used for path following. Hardware experiments validate our approach.

Zoe McCarthy, University of Illinois at Urbana-Champaign, Timothy Bretl, University of Illinois at Urbana-Champaign.  2012.  Mechanics and Manipulation of Planar Elastic Kinematic Chains. 2012 IEEE International Conference on Robotics and Automation.

In this paper, we study quasi-static manipulation of a planar kinematic chain with a fixed base in which each joint is a linearly-elastic torsional spring. The shape of this chain when in static equilibrium can be represented as the solution to a discrete-time optimal control problem, with boundary conditions that vary with the position and orientation of the last link. We prove that the set of all solutions to this problem is a smooth manifold that can be parameterized by a single chart. For manipulation planning, we show several advantages of working in this chart instead of in the space of boundary conditions, particularly in the context of a sampling-based planning algorithm. Examples are provided in simulation.

Timothy Bretl, University of Illinois at Urbana-Champaign, Zoe McCarthy, University of Illinois at Urbana-Champaign.  2012.  Equilibrium Configurations of a Kirchhoff Elastic Rod under Quasi-static Manipulation. Workshop on the Algorithmic Foundations of Robotics (WAFR).

Consider a thin, flexible wire of fixed length that is held at each end by a robotic gripper. The curve traced by this wire can be described as a local solution to a geometric optimal control problem, with boundary conditions that vary with the position and orientation of each gripper. The set of all local solutions to this problem is the configuration space of the wire under quasi-static manipulation. We will show that this configuration space is a smooth manifold of finite dimension that can be parameterized by a single chart. Working in this chart—rather than in the space of boundary conditions—makes the problem of manipulation planning very easy to solve. Examples in simulation illustrate our approach.

Timothy Bretl, University of Illinois at Urbana-Champaign, Zoe McCarthy, University of Illinois at Urbana-Champaign.  2012.  Mechanics and Quasi-Static Manipulation of Planar Elastic Kinematic Chains. IEEE Transactions on Robotics. 29(1)

In this paper, we study quasi-static manipulation of a planar kinematic chain with a fixed base in which each joint is a linearly elastic torsional spring. The shape of this chain when in static equilibrium can be represented as the solution to a discretetime optimal control problem, with boundary conditions that vary with the position and orientation of the last link. We prove that the set of all solutions to this problem is a smooth three-manifold that can be parameterized by a single chart. Empirical results in simulation show that straight-line paths in this chart are uniformly more likely to be feasible (as a function of distance) than straightline paths in the space of boundary conditions. These results, which are consistent with an analysis of visibility properties, suggest that the chart we derive is a better choice of space in which to apply a sampling-based algorithm for manipulation planning. We describe such an algorithm and show that it is easy to implement.

2013
Serdar Erbatur, Università degli Studi di Verona, Santiago Escobar, Universidad Politécnica de Valencia, Spain, Deepak Kapur, University of New Mexico, Zhiqiang Liu, Clarkson University, Christopher A. Lynch, Clarkson University, Catherine Meadows, Naval Research Laboratory, Jose Meseguer, University of Illinois at Urbana-Champaign, Paliath Narendran, University at Albany-SUNY, Sonia Santiago, Universidad Politécnica de Valencia, Spain, Ralf Sasse, Institute of Information Security, ETH.  2013.  Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis. 24th International Conference on Automated Deduction (CADE 2013) .

We present a new paradigm for unification arising out of a technique commonly used in cryptographic protocol analysis tools that employ unification modulo equational theories. This paradigm relies on: (i) a decomposition of an equational theory into (R, E) where R is confluent, terminating, and coherent modulo E, and (ii) on reducing unifi- cation problems to a set of problems s =? t under the constraint that t remains R/E-irreducible. We call this method asymmetric unification . We first present a general-purpose generic asymmetric unification algorithm.and then outline an approach for converting special-purpose conventional unification algorithms to asymmetric ones, demonstrating it for exclusive-or with uninterpreted function symbols. We demonstrate how asymmetric unification can improve performanceby running the algorithm on a set of benchmark problems. We also give results on the complexity and decidability of asymmetric unification.

 

 

Niu, Yukun, Tan, Xiaobin, Zhou, Zifei, Zheng, Jiangyu, Zhu, Jin.  2013.  Privacy Protection Scheme in Smart Grid Using Rechargeable Battery. Proceedings of the 32nd Chinese Control Conference. :8825–8830.

It can get the user's privacy and home energy use information by analyzing the user's electrical load information in smart grid, and this is an area of concern. A rechargeable battery may be used in the home network to protect user's privacy. In this paper, the battery can neither charge nor discharge, and the power of battery is adjustable, at the same time, we model the real user's electrical load information and the battery power information and the recorded electrical power of smart meters which are processed with discrete way. Then we put forward a heuristic algorithm which can make the rate of information leakage less than existing solutions. We use statistical methods to protect user's privacy, the theoretical analysis and the examples show that our solution makes the scene design more reasonable and is more effective than existing solutions to avoid the leakage of the privacy.

Timothy Bretl, University of Illinois at Urbana-Champaign, Zoe McCarthy, University of Illinois at Urbana-Champaign.  2013.  Quasi-Static Manipulation of a Kirchhoff Elastic Road Based on Geometric Analysis of Equilibrium Configurations. The International Journal of Robotics Research. 33(1)

Consider a thin, flexible wire of fixed length that is held at each end by a robotic gripper. Any curve traced by this wire when in static equilibrium is a local solution to a geometric optimal control problem, with boundary conditions that vary with the position and orientation of each gripper. We prove that the set of all local solutions to this problem over all possible boundary conditions is a smooth manifold of finite dimension that can be parameterized by a single chart. We show that this chart makes it easy to implement a sampling-based algorithm for quasi-static manipulation planning. We characterize the performance of such an algorithm with experiments in simulation.

Published in The International Journal of Robotics Research

Hui Lin, University of Illinois at Urbana-Champaign, Adam Slagell, University of Illinois at Urbana-Champaign, Catello Di Marino, University of Illinois at Urbana-Champaugn, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Ravishankar K. Iyer, University of Illinois at Urbana-Champaign.  2013.  Adapting Bro into SCADA: Building a Specification-based Instrusion Detection System for the DNP3 Protocol. Eighth Annual Security and Information Intelligence Research Workshop (CSIRRW 2013).

When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols.

To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.

Stanley Bak, University of Illinois at Urbana-Champaign, Fardin Abdi, University of Illinois at Urbana-Champaign, Zhenqi Huang, University of Illinois at Urbana-Champaign, Marco Caccamo, University of Illinois at Urbana-Champaign.  2013.  Using Run-Time Checking to Provide Safety and Progress for Distributed Cyber-Physical Systems. 2013 IEEE 19th International Conference on Embedded and Real-Time Computing Systems and Applications.

Cyber-physical systems (CPS) may interact and manipulate objects in the physical world, and therefore ideally would have formal guarantees about their behavior. Performing statictime proofs of safety invariants, however, may be intractable for systems with distributed physical-world interactions. This is further complicated when realistic communication models are considered, for which there may not be bounds on message delays, or even that messages will eventually reach their destination. In this work, we address the challenge of proving safety and progress in distributed CPS communicating over an unreliable communication layer. This is done in two parts. First, we show that system safety can be verified by partially relying upon runtime checks, and that dropping messages if the run-time checks fail will maintain safety. Second, we use a notion of compatible action chains to guarantee system progress, despite unbounded message delays.We demonstrate the effectiveness of our approach on a multi-agent vehicle flocking system, and show that the overhead of the proposed run-time checks is not overbearing.

Hui Lin, University of Illinois at Urbana-Champaign, Adam Slagell, University of Illinois at Urbana-Champaign, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Peter W. Sauer, University of Illinois at Urbana-Champaign, Ravishankar K. Iyer, University of Illinois at Urbana-Champaign.  2013.  Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids. First ACM Workshop on Smart Engergy Grid Security.

In the current generation of SCADA (Supervisory Control And Data Acquisition) systems used in power grids, a sophisticated attacker can exploit system vulnerabilities and use a legitimate maliciously crafted command to cause a wide range of system changes that traditional contingency analysis does not consider and remedial action schemes cannot handle. To detect such malicious commands, we propose a semantic analysis framework based on a distributed network of intrusion detection systems (IDSes). The framework combines system knowledge of both cyber and physical infrastructure in power grid to help IDS to estimate execution consequences of control commands, thus to reveal attacker’s malicious intentions. We evaluated the approach on the IEEE 30-bus system. Our experiments demonstrate that: (i) by opening 3 transmission lines, an attacker can avoid detection by the traditional contingency analysis and instantly put the tested 30-bus system into an insecure state and (ii) the semantic analysis provides reliable detection of malicious commands with a small amount of analysis time.

Si, Xiaolin, Wang, Pengpian, Zhang, Liwu.  2013.  KP-ABE Based Verifiable Cloud Access Control Scheme. 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. :34—41.

With the rapid development of mobile internet, mobile devices are requiring more complex authorization policy to ensure an secure access control on mobile data. However mobiles have limited resources (computing, storage, etc.) and are not suitable to execute complex operations. Cloud computing is an increasingly popular paradigm for accessing powerful computing resources. Intuitively we can solve that problem by moving the complex access control process to the cloud and implement a fine-grained access control relying on the powerful cloud. However the cloud computation may not be trusted, a crucial problem is how to verify the correctness of such computations. In this paper, we proposed a public verifiable cloud access control scheme based on Parno's public verifiable computation protocol. For the first time, we proposed the conception and concrete construction of verifiable cloud access control. Specifically, we firstly design a user private key revocable Key Policy Attribute Based Encryption (KP-ABE) scheme with non-monotonic access structure, which can be combined with the XACML policy perfectly. Secondly we convert the XACML policy into the access structure of KP-ABE. Finally we construct a security provable public verifiable cloud access control scheme based on the KP-ABE scheme we designed.

Li, Qi, Ma, Jianfeng, Xiong, Jinbo, Zhang, Tao, Liu, Ximeng.  2013.  Fully Secure Decentralized Key-Policy Attribute-Based Encryption. 2013 5th International Conference on Intelligent Networking and Collaborative Systems. :220—225.

In previous multi-authority key-policy attribute-based Encryption (KP-ABE) schemes, either a super power central authority (CA) exists, or multiple attribute authorities (AAs) must collaborate in initializing the system. In addition, those schemes are proved security in the selective model. In this paper, we propose a new fully secure decentralized KP-ABE scheme, where no CA exists and there is no cooperation between any AAs. To become an AA, a participant needs to create and publish its public parameters. All the user's private keys will be linked with his unique global identifier (GID). The proposed scheme supports any monotonic access structure which can be expressed by a linear secret sharing scheme (LSSS). We prove the full security of our scheme in the standard model. Our scheme is also secure against at most F-1 AAs corruption, where F is the number of AAs in the system. The efficiency of our scheme is almost as well as that of the underlying fully secure single-authority KP-ABE system.

2014
Cuong Pham, University of Illinois at Urbana-Champaign, Zachary J. Estrada, University of Illinois at Urbana-Champaign, Phuong Cao, University of Illinois at Urbana-Champaign, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Ravishankar K. Iyer, University of Illinois at Urbana-Champaign.  2014.  Building Reliable and Secure Virtual Machines using Architectural Invariants. IEEE Security and Privacy. 12(5):82-85.

Reliability and security tend to be treated separately because they appear orthogonal: reliability focuses on accidental failures, security on intentional attacks. Because of the apparent dissimilarity between the two, tools to detect and recover from different classes of failures and attacks are usually designed and implemented differently. So, integrating support for reliability and security in a single framework is a significant challenge.

Here, we discuss how to address this challenge in the context of cloud computing, for which reliability and security are growing concerns. Because cloud deployments usually consist of commodity hardware and software, efficient monitoring is key to achieving resiliency. Although reliability and security monitoring might use different types of analytics, the same sensing infrastructure can provide inputs to monitoring modules.

We split monitoring into two phases: logging and auditing. Logging captures data or events; it constitutes the framework’s core and is common to all monitors. Auditing analyzes data or events; it’s implemented and operated independently by each monitor. To support a range of auditing policies, logging must capture a complete view, including both actions and states of target systems. It must also provide useful, trustworthy information regarding the captured view.

We applied these principles when designing HyperTap, a hypervisor-level monitoring framework for virtual machines (VMs). Unlike most VM-monitoring techniques, HyperTap employs hardware architectural invariants (hardware invariants, for short) to establish the root of trust for logging. Hardware invariants are properties defined and enforced by a hardware platform (for example, the x86 instruction set architecture). Additionally, HyperTap supports continuous, event-driven VM monitoring, which enables both capturing the system state and responding rapidly to actions of interest.

Ding, Shuai, Yang, Shanlin, Zhang, Youtao, Liang, Changyong, Xia, Chenyi.  2014.  Combining QoS Prediction and Customer Satisfaction Estimation to Solve Cloud Service Trustworthiness Evaluation Problems. Know.-Based Syst.. 56:216–225.

The collection and combination of assessment data in trustworthiness evaluation of cloud service is challenging, notably because QoS value may be missing in offline evaluation situation due to the time-consuming and costly cloud service invocation. Considering the fact that many trustworthiness evaluation problems require not only objective measurement but also subjective perception, this paper designs a novel framework named CSTrust for conducting cloud service trustworthiness evaluation by combining QoS prediction and customer satisfaction estimation. The proposed framework considers how to improve the accuracy of QoS value prediction on quantitative trustworthy attributes, as well as how to estimate the customer satisfaction of target cloud service by taking advantages of the perception ratings on qualitative attributes. The proposed methods are validated through simulations, demonstrating that CSTrust can effectively predict assessment data and release evaluation results of trustworthiness.

Zhenqi Huang, University of Illinois at Urbana-Champaign, Yu Wang, University of Illinois at Urbana-Champaign, Sayan Mitra, University of Illinois at Urbana-Champaign, Geir Dullerud, University of Illinois at Urbana-Champaign.  2014.  On the Cost of Privacy in Distributed Control Systems. 3rd ACM International Conference on High Confidence Networked Systems (HiCoNS).

Individuals sharing information can improve the cost or performance of a distributed control system. But, sharing may also violate privacy. We develop a general framework for studying the cost of differential privacy in systems where a collection of agents, with coupled dynamics, communicate for sensing their shared environment while pursuing individ- ual preferences. First, we propose a communication strategy that relies on adding carefully chosen random noise to agent states and show that it preserves differential privacy. Of course, the higher the standard deviation of the noise, the higher the cost of privacy. For linear distributed control systems with quadratic cost functions, the standard deviation becomes independent of the number agents and it decays with the maximum eigenvalue of the dynamics matrix. Furthermore, for stable dynamics, the noise to be added is independent of the number of agents as well as the time horizon up to which privacy is desired.

Iltaf, Naima, Ghafoor, Abdul, Zia, Usman, Hussain, Mukhtar.  2014.  An Effective Model for Indirect Trust Computation in Pervasive Computing Environment. Wirel. Pers. Commun.. 75:1689–1713.

The performance of indirect trust computation models (based on recommendations) can be easily compromised due to the subjective and social-based prejudice of the provided recommendations. Eradicating the influence of such recommendation remains an important and challenging issue in indirect trust computation models. An effective model for indirect trust computation is proposed which is capable of identifying dishonest recommendations. Dishonest recommendations are identified by using deviation based detecting technique. The concept of measuring the credibility of recommendation (rather than credibility of recommender) using fuzzy inference engine is also proposed to determine the influence of each honest recommendation. The proposed model has been compared with other existing evolutionary recommendation models in this field, and it is shown that the model is more accurate in measuring the trustworthiness of unknown entity.

Yu Wang, University of Illinois at Urbana-Champaign, Zhenqi Huang, University of Illinois at Urbana-Champaign, Sayan Mitra, University of Illinois at Urbana-Champaign, Geir Dullerud, University of Illinois at Urbana-Champaign.  2014.  Entropy-minimizing Mechanism for Differential Privacy of Discrete-time Linear Feedback Systems. 53rd IEEE Conference on Decision and Control (CDC 2014).

The concept of differential  privacy stems from the study of private query of datasets.  In  this work, we apply this concept  to metric spaces  to study a  mechanism  that randomizes a deterministic query by adding  mean-zero  noise to keep differential  privacy.

Li, Bo, Vorobeychik, Yevgeniy.  2014.  Feature Cross-Substitution in Adversarial Classification. Advances in Neural Information Processing Systems 27. :2087–2095.

The success of machine learning, particularly in supervised settings, has led to numerous attempts to apply it in adversarial settings such as spam and malware detection. The core challenge in this class of applications is that adversaries are not static data generators, but make a deliberate effort to evade the classifiers deployed to detect them. We investigate both the problem of modeling the objectives of such adversaries, as well as the algorithmic problem of accounting for rational, objective-driven adversaries. In particular, we demonstrate severe shortcomings of feature reduction in adversarial settings using several natural adversarial objective functions, an observation that is particularly pronounced when the adversary is able to substitute across similar features (for example, replace words with synonyms or replace letters in words). We offer a simple heuristic method for making learning more robust to feature cross-substitution attacks. We then present a more general approach based on mixed-integer linear programming with constraint generation, which implicitly trades off overfitting and feature selection in an adversarial setting using a sparse regularizer along with an evasion model. Our approach is the first method for combining an adversarial classification algorithm with a very general class of models of adversarial classifier evasion. We show that our algorithmic approach significantly outperforms state-of-the-art alternatives.

Zhou, Jian, Sun, Liyan, Zhou, Xianwei, Song, Junde.  2014.  High Performance Group Merging/Splitting Scheme for Group Key Management. Wirel. Pers. Commun.. 75:1529–1545.

The group merging/splitting event is different to the joining/leaving events in which only a member joins or leaves group, but in the group merging/splitting event two small groups merge together into a group or a group is divided into two independent parts. Rekeying is an importance issue for key management whose target is to guarantee forward security and backward security in case of membership changes, however rekeying efficiency is related to group scale in most existing group key management schemes, so as to those schemes are not suitable to the applications whose rekeying time delay is limited strictly. In particular, multiple members are involved in the group merging/splitting event, thus the rekeying performance becomes a worried problem. In this paper, a high performance group merging/splitting group key management scheme is proposed based on an one-encryption-key multi-decryption-key key protocol, in the proposed scheme each member has an unique decryption key that is corresponding to a common encryption key so as to only the common encryption key is updated when the group merging/splitting event happens, however the secret decryption key still keeps unchanged. In efficiency aspect, since no more than a message on merging/splitting event is sent, at time the network load is reduced since only a group member’s key material is enough for other group members to agree a fresh common encryption key. In security aspect, our proposed scheme achieves the key management security requirements including passive security, forward security, backward security and key independence. Therefore, our proposed scheme is suitable to the dynamitic networks that the rekeying time delay is limited strictly such as tolerate delay networks.

Layman, Lucas, Diffo, Sylvain David, Zazworka, Nico.  2014.  Human Factors in Webserver Log File Analysis: A Controlled Experiment on Investigating Malicious Activity. Proceedings of the 2014 Symposium and Bootcamp on the Science of Security. :9:1–9:11.

While automated methods are the first line of defense for detecting attacks on webservers, a human agent is required to understand the attacker's intent and the attack process. The goal of this research is to understand the value of various log fields and the cognitive processes by which log information is grouped, searched, and correlated. Such knowledge will enable the development of human-focused log file investigation technologies. We performed controlled experiments with 65 subjects (IT professionals and novices) who investigated excerpts from six webserver log files. Quantitative and qualitative data were gathered to: 1) analyze subject accuracy in identifying malicious activity; 2) identify the most useful pieces of log file information; and 3) understand the techniques and strategies used by subjects to process the information. Statistically significant effects were observed in the accuracy of identifying attacks and time taken depending on the type of attack. Systematic differences were also observed in the log fields used by high-performing and low-performing groups. The findings include: 1) new insights into how specific log data fields are used to effectively assess potentially malicious activity; 2) obfuscating factors in log data from a human cognitive perspective; and 3) practical implications for tools to support log file investigations.