On the Forensic Validity of Approximated Audit Logs
作者: Noor Michael , Jaron Mink , Jason Liu , Sneha Gaur , Wajih Ul Hassan
关键词: Data mining 、 Digital forensics 、 Computer science 、 Intrusion detection system 、 Threat model 、 Fidelity 、 Audit 、 Redundancy (information theory) 、 Audit trail 、 Process (engineering)
摘要: Auditing is an increasingly essential tool for the defense of computing systems, but unwieldy nature log data imposes significant burdens on administrators and analysts. To address this issue, a variety techniques have been proposed approximating contents raw audit logs, facilitating efficient storage analysis. However, security value these approximated logs difficult to measure—relative original log, it unclear if retain forensic evidence needed effectively investigate threats. Unfortunately, prior work has only investigated issue anecdotally, demonstrating sufficient retained specific attack scenarios. In work, we gap in literature through formalizing metrics quantifying validity under differing threat models. addition providing quantifiable arguments also identify novel point approximation design space—that events describing typical (benign) system activity can be aggressively approximated, while that encode anomalous behavior should preserved with lossless fidelity. We instantiate notion Attack-Preserving LogApprox, new technique eliminates redundancy voluminous file I/O associated benign process activities. evaluate LogApprox alongside corpus exemplar from demonstrate achieves comparable reduction rates retaining 100% attack-identifying events. Additionally, utilize evaluation illuminate inherent trade-off between performance utility within existing techniques. This thus establishes trustworthy foundations next generation auditing frameworks.
acm.org
sci-hub.st 参考文章(51)
Gaurav Shah, Andres Molina, Matt Blaze, Keyboards and covert channels usenix security symposium. pp. 5- ,(2006)
Ashish Gehani, Dawood Tariq, SPADE: support for provenance auditing in distributed environments international middleware conference. pp. 101- 120 ,(2012) , 10.1007/978-3-642-35170-9_6
Ashish Gehani, Minyoung Kim, Jian Zhang, Steps toward managing lineage metadata in grid clusters TAPP'09 First workshop on on Theory and practice of provenance. pp. 7- ,(2009)
Adam Bates, Dave Tian, Kevin R. B. Butler, Thomas Moyer, Trustworthy whole-system provenance for the Linux kernel usenix security symposium. pp. 319- 334 ,(2015)
Radu Sion, Marianne Winslett, Ragib Hasan, The case of the fake Picasso: preventing history forgery with secure provenance file and storage technologies. pp. 1- 14 ,(2009)
Andreas Haeberlen, Micah Sherr, Ang Chen, Hanjun Xiao, W. Brad Moore, Linh Thi Xuan Phan, Wenchao Zhou, Detecting covert timing channels with time-deterministic replay operating systems design and implementation. pp. 541- 554 ,(2014) , 10.5555/2685048.2685091
Kiran-Kumar Muniswamy-Reddy, Peter Macko, Daniel Margo, David A. Holland, Uri Braun, Diana Maclean, Margo Seltzer, Robin Smogor, Layering in provenance systems usenix annual technical conference. pp. 10- 10 ,(2009)
Di Ma, Gene Tsudik, A new approach to secure logging ACM Transactions on Storage. ,vol. 5, pp. 1- 21 ,(2009) , 10.1145/1502777.1502779
Bruce Schneier, John Kelsey, Secure audit logs to support computer forensics ACM Transactions on Information and System Security. ,vol. 2, pp. 159- 176 ,(1999) , 10.1145/317087.317089
Yulai Xie, Kiran-Kumar Muniswamy-Reddy, Dan Feng, Yan Li, Darrell D. E. Long, Evaluation of a Hybrid Approach for Efficient Provenance Storage ACM Transactions on Storage. ,vol. 9, pp. 14- ,(2013) , 10.1145/2501986