Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows
Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC) 2015.
areas
Security,
Operating Systems,
Program Analysis
abstract
Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is built on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log reduction.
related project
The CLUE project develops an infrastructure to detect and diagnose system anomalies in enterprise and cloud systems. These anomalies include stealthy malware and other types of hidden system anomalies. CLUE provides a diverse set of tools to find and understand such anomalies with minimal disruption to the target system.