skip to main content
10.1145/2818000.2818039acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows

Published: 07 December 2015 Publication History

Abstract

Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is build on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log reduction.

References

[1]
Event tracing for windows (etw). http://msdn.microsoft.com/en-us/library/windows/desktop/aa363668(v=vs.85).aspx.
[2]
Ammann, P., Jajodia, S., and Liu, P. Recovery from malicious transactions. Knowledge and Data Engineering, IEEE Transactions on (2002).
[3]
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., and Rieck, K. Drebin: Effective and explainable detection of android malware in your pocket. In NDSS'14.
[4]
Beschastnikh, I., Brun, Y., Schneider, S., Sloan, M., and Ernst, M. D. Leveraging existing instrumentation to automatically infer invariant-constrained models. FSE'11.
[5]
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. Understanding data lifetime via whole system simulation. SSYM'04.
[6]
Egele, M., Woo, M., Chapman, P., and Brumley, D. Blanket execution: Dynamic similarity testing for program binaries and components. Usenix Security'14.
[7]
Goel, A., Feng, W.-c., Feng, W.-c., and Maier, D. Automatic high-performance reconstruction and recovery. Computer Networks 51, 5 (2007), 1361--1377.
[8]
Goel, A., Po, K., Farhadi, K., Li, Z., and de Lara, E. The taser intrusion recovery system. SOSP '05.
[9]
Hasan, R., Sion, R., and Winslett, M. Preventing history forgery with secure provenance. ACM Transactions on Storage (TOS) 5, 4 (2009), 12.
[10]
Jee, K., Portokalidis, G., Kemerlis, V. P., Ghosh, S., August, D. I., and Keromytis, A. D. A general approach for efficiently accelerating software-based dynamic data flow tracking on commodity hardware. In NDSS (2012).
[11]
Jiang, X., Walters, A., Xu, D., Spafford, E. H., Buchholz, F., and Wang, Y.-M. Provenance-aware tracing ofworm break-in and contaminations: A process coloring approach. ICDCS '06.
[12]
Kemerlis, V. P., Portokalidis, G., Jee, K., and Keromytis, A. D. libdft: practical dynamic data flow tracking for commodity systems. VEE '12.
[13]
Kim, C. H., Rhee, J., Zhang, H., Arora, N., Jiang, G., Zhang, X., and Xu, D. Introperf: transparent context-sensitive multi-layer performance inference using system stack traces. SIGMETRIC'14.
[14]
Kim, T., Wang, X., Zeldovich, N., and Kaashoek, M. F. Intrusion recovery using selective re-execution. OSDI'10.
[15]
King, S. T., and Chen, P. M. Backtracking intrusions. SOSP '03.
[16]
King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. Enriching intrusion alerts through multi-host causality. In NDSS (2005).
[17]
Kolbitsch, C., Comparetti, P. M., Kruegel, C., Kirda, E., Zhou, X.-y., and Wang, X. Effective and efficient malware detection at the end host. Usernix Security '09.
[18]
Kolbitsch, C., Kirda, E., and Kruegel, C. The power of procrastination: Detection and mitigation of execution-stalling malicious code. CCS '11.
[19]
Krishnan, S., Snow, K. Z., and Monrose, F. Trail of bytes: efficient support for forensic analysis. CCS'10.
[20]
Lee, K. H., Zhang, X., and Xu, D. Loggc: garbage collecting audit log. CCS'13.
[21]
Lee, K. H., Zhang, X., and Xu, D. High accuracy attack provenance via binary-based execution partition. In NDSS (2013), Citeseer.
[22]
Muniswamy-Reddy, K.-K., Braun, U., Holland, D. A., Macko, P., Maclean, D., Margo, D., Seltzer, M., and Smogor, R. Layering in provenance systems. USENIX'09.
[23]
Nagaraj, K., Killian, C., and Neville, J. Structured comparative analysis of systems logs to diagnose performance problems. NSDI'12.
[24]
Newsome, J., and Song, D. X. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS (2005).
[25]
Sitaraman, S., and Venkatesan, S. Forensic analysis of file system intrusions using improved backtracking. IWIA '05.
[26]
Tak, B. C., Tang, C., Zhang, C., Govindan, S., Urgaonkar, B., and Chang, R. N. vpath: precise discovery of request processing paths from black-box observations of thread and network activities. USENIX'09.
[27]
Xu, W., Huang, L., Fox, A., Patterson, D., and Jordan, M. I. Detecting large-scale system problems by mining console logs. SOSP'09.
[28]
Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. Panorama: capturing system-wide information flow for malware detection and analysis. CCS '07.
[29]
Zhu, N., and cker Chiueh, T. Design, implementation, and evaluation of repairable file service. DSN'03.

Cited By

View all
  • (2025)PDCleaner: A multi-view collaborative data compression method for provenance graph-based APT detection systemsComputers & Security10.1016/j.cose.2025.104359152(104359)Online publication date: May-2025
  • (2025)Genetic programming for enhanced detection of Advanced Persistent Threats through feature constructionComputers & Security10.1016/j.cose.2024.104185149(104185)Online publication date: Feb-2025
  • (2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference
December 2015
489 pages
ISBN:9781450336826
DOI:10.1145/2818000
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

  • ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ACSAC 2015

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)70
  • Downloads (Last 6 weeks)12
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)PDCleaner: A multi-view collaborative data compression method for provenance graph-based APT detection systemsComputers & Security10.1016/j.cose.2025.104359152(104359)Online publication date: May-2025
  • (2025)Genetic programming for enhanced detection of Advanced Persistent Threats through feature constructionComputers & Security10.1016/j.cose.2024.104185149(104185)Online publication date: Feb-2025
  • (2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
  • (2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
  • (2024)The Last Mile of Attack Investigation: Audit Log Analysis Toward Software Vulnerability LocationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345961619(9566-9581)Online publication date: 2024
  • (2024) eAudit: A Fast, Scalable and Deployable Audit Data Collection System * 2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00087(3571-3589)Online publication date: 19-May-2024
  • (2024)AGCM: A multi-stage attack correlation and scenario reconstruction method based on graph aggregationComputer Communications10.1016/j.comcom.2024.06.016224(302-313)Online publication date: Aug-2024
  • (2023)PUMMProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620284(823-840)Online publication date: 9-Aug-2023
  • (2023)Auditing frameworks need resource isolationProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620258(355-372)Online publication date: 9-Aug-2023
  • (2023)System Auditing for Real-Time SystemsACM Transactions on Privacy and Security10.1145/362522926:4(1-37)Online publication date: 13-Nov-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media