LogGC

Abstract: System-level audit logs capture the interactions between applications and the runtime environment. They are highly valuable for forensic analysis that aims to identify the root cause of an attack, which may occur long ago, or to determine the ramifications of an attack for recovery from it. A key challenge of audit log-based forensics in practice is the sheer size of the log files generated, which could grow at a rate of Gigabytes per day. In this paper, we propose LogGC, an audit logging system with garbage c… Show more

“…Our results show that the space consumption of ProTracer is <1.28% of BEEP's on average, and about 7 times smaller than our previous offline log garbage collection technique LogGC [28]. The log generated per day is roughly 13MB without losing precision compared to BEEP.…”

“…According to [28], audit logging easily generates gigabytes of log data per host every day. This is particularly problematic for APT defense, as APT malware tends to lurk in the victim host for a long time.…”

“…Although logging has relatively lower run-time overhead compared to provenance propagation because it does not require expensive per-instruction set operations, many existing logging systems [27], [28] are built on the default Linux audit logging infrastructure that can cause up to 40% slow-down to the whole system due to its poor design (Section V). This makes it undesirable in a production environment.…”

“…Like most existing audit logging systems [15], [27], [28], ProTracer trusts the kernel and any user space daemon associated with the provenance tracing system. More discussion about the assumptions, limitations and security analysis of ProTracer can be found in Section VI.…”

ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting

“…Our results show that the space consumption of ProTracer is <1.28% of BEEP's on average, and about 7 times smaller than our previous offline log garbage collection technique LogGC [28]. The log generated per day is roughly 13MB without losing precision compared to BEEP.…”

“…According to [28], audit logging easily generates gigabytes of log data per host every day. This is particularly problematic for APT defense, as APT malware tends to lurk in the victim host for a long time.…”

“…Although logging has relatively lower run-time overhead compared to provenance propagation because it does not require expensive per-instruction set operations, many existing logging systems [27], [28] are built on the default Linux audit logging infrastructure that can cause up to 40% slow-down to the whole system due to its poor design (Section V). This makes it undesirable in a production environment.…”

“…Like most existing audit logging systems [15], [27], [28], ProTracer trusts the kernel and any user space daemon associated with the provenance tracing system. More discussion about the assumptions, limitations and security analysis of ProTracer can be found in Section VI.…”

ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting

“…Audit trails analysis is a well-known method used in different realms for identi- cases, audit trails have been used to detect attack incidents [65]. In the context of the current work emphasis is given to contributions dealing with DoS attacks and espe-640 cially those capitalizing on entropy information stemming from network logistic data.…”

An efficient and easily deployable method for dealing with DoS in SIP services

Secure and Trustworthy Provenance Collection for Digital Forensics