TY - GEN
T1 - Accurate, low cost and instrumentation-free security audit logging for windows
AU - Ma, Shiqing
AU - Lee, Kyu Hyung
AU - Kim, Chung Hwan
AU - Rhee, Junghwan
AU - Zhang, Xiangyu
AU - Xu, Dongyan
N1 - Funding Information:
We thank the anonymous reviewers for their constructive comments. This research was supported, in part, by DARPA under contract FA8650-15-C-7562, NSF under award 1409668, ONR under constract N000141410468, and Cisco Systems under an unrestricted gift. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of our sponsors.
Publisher Copyright:
© 2015 ACM.
PY - 2015/12/7
Y1 - 2015/12/7
N2 - Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is build on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log reduction.
AB - Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is build on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log reduction.
UR - http://www.scopus.com/inward/record.url?scp=84959323920&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84959323920&partnerID=8YFLogxK
U2 - 10.1145/2818000.2818039
DO - 10.1145/2818000.2818039
M3 - Conference contribution
AN - SCOPUS:84959323920
T3 - ACM International Conference Proceeding Series
SP - 401
EP - 410
BT - Proceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015
PB - Association for Computing Machinery
T2 - 31st Annual Computer Security Applications Conference, ACSAC 2015
Y2 - 7 December 2015 through 11 December 2015
ER -