{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T16:02:32Z","timestamp":1781107352354,"version":"3.54.1"},"reference-count":31,"publisher":"IGI Global Scientific Publishing","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,7,1]]},"abstract":"<p>Logging User Actions in Relational Mode (LUARM) is an open source audit engine for Linux. It provides a near real-time snapshot of a number of user action data such as file access, program execution and network endpoint user activities, all organized in easily searchable relational tables. LUARM attempts to solve two fundamental problems of the insider IT misuse domain. The first concerns the lack of insider misuse case data repositories that could be used by post-case forensic examiners to aid an incident investigation. The second problem relates to how information security researchers can enhance their ability to specify accurately insider threats at system level. This paper presents LUARM\u2019s design perspectives and a \u2019post mortem\u2019 case study of an insider IT misuse incident. The results show that the prototype audit engine has good potential to provide a valuable insight into the way insider IT misuse incidents manifest on IT systems and can be a valuable complement to forensic investigators of IT misuse incidents.<\/p>","DOI":"10.4018\/jdcf.2011070103","type":"journal-article","created":{"date-parts":[[2011,10,20]],"date-time":"2011-10-20T10:38:19Z","timestamp":1319107099000},"page":"37-49","source":"Crossref","is-referenced-by-count":10,"title":["LUARM"],"prefix":"10.4018","volume":"3","author":[{"given":"G.","family":"Magklaras","sequence":"first","affiliation":[{"name":"University of Plymouth, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"S.","family":"Furnell","sequence":"additional","affiliation":[{"name":"University of Plymouth, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"M.","family":"Papadaki","sequence":"additional","affiliation":[{"name":"University of Plymouth, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"jdcf.2011070103-0","doi-asserted-by":"publisher","DOI":"10.1145\/1113034.1113070"},{"key":"jdcf.2011070103-1","author":"R.Bace","year":"2000","journal-title":"Intrusion detection"},{"key":"jdcf.2011070103-2","doi-asserted-by":"crossref","unstructured":"Barr, D. (1996). RFC 1912: Common DNS operational and configuration errors. Retrieved from http:\/\/www.faqs.org\/rfcs\/rfc1912.html","DOI":"10.17487\/rfc1912"},{"key":"jdcf.2011070103-3","author":"M.Bauer","year":"2003","journal-title":"Building secure servers with Linux"},{"key":"jdcf.2011070103-4","unstructured":"Cha, A. E. (2008). Even spies embrace China's free market. Retrieved from http:\/\/www.washingtonpost.com\/wp-dyn\/content\/article\/2008\/02\/14\/AR2008021403550.html"},{"key":"jdcf.2011070103-5","unstructured":"Common Criteria Portal. (2009). The common criteria for information technology security evaluation: Version 3.1, Revision: Part 2. Retrieved from http:\/\/www.commoncriteriaportal.org\/"},{"key":"jdcf.2011070103-6","unstructured":"CPAN-DBI. (2010). The Perl database interface (DBI) module. Retrieved from http:\/\/search.cpan.org\/~timb\/DBI-1.615\/DBI.pm"},{"key":"jdcf.2011070103-7","unstructured":"CPAN-HiRes. (2010). The Perl high resolution timer module. Retrieved from http:\/\/search.cpan.org\/~jhi\/Time-HiRes-1.9721\/HiRes.pm"},{"key":"jdcf.2011070103-8","year":"1985","journal-title":"DOD 5200.28-std: Trusted computer system evaluation criteria"},{"key":"jdcf.2011070103-9","author":"U.Flegel","year":"2007","journal-title":"Privacy-respecting intrusion detection (Advances in information security)"},{"key":"jdcf.2011070103-10","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(04)00087-9"},{"key":"jdcf.2011070103-11","author":"S.Garfinkel","year":"1996","journal-title":"Practical UNIX and Internet security"},{"key":"jdcf.2011070103-12","doi-asserted-by":"crossref","unstructured":"Gerhards, R. (2009). RFC 5424: The Syslog protocol. Retrieved from http:\/\/tools.ietf.org\/html\/rfc5424","DOI":"10.17487\/rfc5424"},{"key":"jdcf.2011070103-13","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.43"},{"key":"jdcf.2011070103-14","unstructured":"Magklaras, G. (2011). Catching an undesired guest in the penguin \/tmp room. Retrieved from http:\/\/epistolatory.blogspot.com\/2011\/02\/catching-undesired-guest-in-penguin-tmp.html"},{"key":"jdcf.2011070103-15","doi-asserted-by":"publisher","DOI":"10.1108\/09685220610690826"},{"key":"jdcf.2011070103-16","doi-asserted-by":"crossref","unstructured":"Meier, M. (2004). A model for the semantics of attack signatures in misuse detection systems. In K. Zhang & Y. Zheng (Eds.), Proceedings of the 7th International Conference on Information Security (LNCS 3225, pp. 158-169)","DOI":"10.1007\/978-3-540-30144-8_14"},{"key":"jdcf.2011070103-17","doi-asserted-by":"crossref","unstructured":"Mills, D., Delaware, U., Martin, J., Burbank, J., & Kasch, W. (2010). RFC 5905: Network time protocol version 4: Protocol and algorithms specification. Retrieved from http:\/\/tools.ietf.org\/html\/rfc5905","DOI":"10.17487\/rfc5905"},{"key":"jdcf.2011070103-18","doi-asserted-by":"crossref","unstructured":"Mockapetris, P. (1987). RFC 1035: Domain names \u2013 Implementation and specification. Retrieved from http:\/\/www.ietf.org\/rfc\/rfc1035.txt","DOI":"10.17487\/rfc1035"},{"key":"jdcf.2011070103-19","unstructured":"MySQL. (2008). MySQL 5.1 manual: String regular expression operator. Retrieved from http:\/\/dev.mysql.com\/doc\/refman\/5.1\/en\/regexp.html"},{"key":"jdcf.2011070103-20","unstructured":"National Security Telecommunications and Information Systems Security Committee. (1999). The insider threat to US government information systems (Tech. Rep. No. NSTISSAM INFOSEC \/1-99). Retrieved from http:\/\/www.cnss.gov\/Assets\/pdf\/nstissam_infosec_1-99.pdf"},{"key":"jdcf.2011070103-21","first-page":"559","year":"2010","journal-title":"System administration guide: Security services"},{"key":"jdcf.2011070103-22","author":"C.Pogue","year":"2008","journal-title":"Unix and Linux forensic analysis DVD toolkit"},{"key":"jdcf.2011070103-23","unstructured":"Portal, H. P. (2003). Psacct process accounting misses some commands. Retrieved from http:\/\/h30499.www3.hp.com\/t5\/Announcements\/ITRC-redirect-announcement\/td-p\/4805811"},{"issue":"2","key":"jdcf.2011070103-24","first-page":"13","article-title":"Countering insider threats.","volume":"5","author":"C.Probst","year":"2009","journal-title":"ENISA Quarterly Review"},{"key":"jdcf.2011070103-25","unstructured":"Psacct. (2003). Utilities for process activity monitoring. Retrieved from http:\/\/linux.maruhn.com\/sec\/psacct.html"},{"key":"jdcf.2011070103-26","doi-asserted-by":"crossref","unstructured":"Rivest, R. (1992). RFC 1321: The MD5 message-digest algorithm. Retrieved from http:\/\/www.ietf.org\/rfc\/rfc1321.txt","DOI":"10.17487\/rfc1321"},{"key":"jdcf.2011070103-27","unstructured":"Sourceforge. (2000). Snoopylogger. Retrieved from http:\/\/sourceforge.net\/projects\/snoopylogger\/"},{"key":"jdcf.2011070103-28","unstructured":"Sourceforge. (2010). LURAM: Logging user actions in relational mode. Retrieved from http:\/\/luarm.sourceforge.net\/"},{"key":"jdcf.2011070103-29","unstructured":"Trusted, B. S. D. Project. (2009). OpenBSM: Open source basic security module (BSM) audit implementation. Retrieved from http:\/\/www.trustedbsd.org\/openbsm.html"},{"key":"jdcf.2011070103-30","unstructured":"WinSyslog. (2009). Monitorware. Retrieved from http:\/\/www.winsyslog.com\/en\/product\/"}],"container-title":["International Journal of Digital Crime and Forensics"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=58407","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T10:32:31Z","timestamp":1654079551000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jdcf.2011070103"}},"subtitle":["An Audit Engine for Insider Misuse Detection"],"short-title":[],"issued":{"date-parts":[[2011,7,1]]},"references-count":31,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2011,7]]}},"URL":"https:\/\/doi.org\/10.4018\/jdcf.2011070103","relation":{},"ISSN":["1941-6210","1941-6229"],"issn-type":[{"value":"1941-6210","type":"print"},{"value":"1941-6229","type":"electronic"}],"subject":[],"published":{"date-parts":[[2011,7,1]]}}}