Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows
ثبت نشده
چکیده
Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is build on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log garbage collection.
منابع مشابه
Correct Audit Logging: Theory and Practice
Retrospective security has become increasingly important to the theory and practice of cyber security, with auditing a crucial component of it. However, in systems where auditing is used, programs are typically instrumented to generate audit logs using manual, ad-hoc strategies. This is a potential source of error even if log analysis techniques are formal, since the relation of the log itself ...
متن کاملWindows and Linux Security Audit
The security audit in operating system is necessary, especially when there are multiple users using it or when the system is part of a company’s network. Before heading into the security audit, you have to be aware of the fundamentals of IT security auditing, whose main objective is to assure protection of the information assets and to dispense information properly to authorized parties. In ord...
متن کاملFoundations for Auditing Assurance
Retrospective security is an important element of layered security systems. Auditing is central to the theory and practice of retrospective security, however, in systems where auditing is used, programs are typically instrumented to generate audit logs using manual, adhoc strategies. This is a potential source of error even if log auditing techniques are formal, since the relation of the log it...
متن کاملBAFi: a practical cryptographic secure audit logging scheme for digital forensics
Audit logs provide information about historical states of computer systems. They also contain highly valuable data that can be used by law enforcement in forensic investigations. Thus, ensuring the authenticity and integrity of audit logs is of vital importance. An ideal security mechanism for audit logging must also satisfy security properties such as forwardsecurity (compromise resiliency), c...
متن کاملEvents Classification in Log Audit
Information security audit is a monitoring/logging mechanism to ensure compliance with regulations and to detect abnormalities, security breaches, and privacy violations; however, auditing too many events causes overwhelming use of system resources and impacts performance. Consequently, a classification of events is used to prioritize events and configure the log system. Rules can be applied ac...
متن کامل