Accurate, low cost and instrumentation-free security audit logging for windows

Shiqing Ma, Kyu Hyung Lee, Chung Hwan Kim, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

21 Scopus citations

Abstract

Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is build on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log reduction.

Original languageEnglish (US)
Title of host publicationProceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015
PublisherAssociation for Computing Machinery
Pages401-410
Number of pages10
ISBN (Electronic)9781450336826
DOIs
StatePublished - Dec 7 2015
Externally publishedYes
Event31st Annual Computer Security Applications Conference, ACSAC 2015 - Los Angeles, United States
Duration: Dec 7 2015Dec 11 2015

Publication series

NameACM International Conference Proceeding Series
Volume7-11-December-2015

Conference

Conference31st Annual Computer Security Applications Conference, ACSAC 2015
Country/TerritoryUnited States
CityLos Angeles
Period12/7/1512/11/15

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Accurate, low cost and instrumentation-free security audit logging for windows'. Together they form a unique fingerprint.

Cite this