On the Forensic Validity of Approximated Audit Logs

Michael, Noor; Mink, Jaron; Liu, Jason; Gaur, Sneha; Hassan, Wajih Ul; Bates, Adam

doi:10.1145/3427228.3427272

Cited by 28 publications

(14 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, Fig 6b clearly shows that the model categories are not entirely delimited by their triangle configuration: for example, models in Kaczmarczyck et al [27], Noor et al [34] and Xiao et al [48] have similar, central triangle placements even though they are members of the deep learning, statistical and respectively simulation categories. Furthermore, even though their topics are also different, namely automated malware family identification, illustrating a mechanism for key distribution on automotive networks and analysing the forensic validity of approximated audit logs, they all obtain a more balanced configuration by introducing qualitative reasoning about their inner workings.…”

Section: Simulation Modelsmentioning

confidence: 99%

Meta-modelling for Ecosystems Security

Caulfield

Ilau

Pym

2022

Simulation Tools and Techniques

View full text Add to dashboard Cite

As the world has evolved to become ever more dependent on complex ecosystems of large, interacting systems, it has become ever more important to be able to reason rigorously about the design, construction, and behaviour not only of individual systems -which may include aspects related to all of people, process, and technology -but also of their assembly into ecosystems. In such situations, it is inevitable that no one type of model -such as mathematical models of dynamical systems, logical models of languages, or discrete event simulation models -will be sufficient to describe all of the aspects of ecosystems about which rigorous reasoning is required. We propose here a metatheoretical framework, the 'triangle framework', within which different types of models may be categorized and their interactions, especially during the construction of models, can be understood. Its explicit goals are to facilitate a better understanding of the nature of models and to provide a more inclusive language for the description of heterogeneous models. Specifically, we identify three qualities of models, each derived from modelling goals -conceptuality, mathematicality, and executability -and explain how models will, typically, have all of these qualities to varying extents. We also show how the framework supports an analysis of how models can be co-designed by their various stakeholders within an identified translation zone within the process of model construction. We explore our ideas in the concrete setting of models encountered in a range of surveyed security papers, drawn from a diverse collection of security conferences. Although descriptive in nature, we envision this framework as a necessary first step in the development of a methodology for heterogeneous model design and construction, diverse enough to characterize the myriad of model types used in the field of information security while at the same time addressing validation concerns that can reduce their usability in the area of security decision-making.

show abstract

Section: Simulation Modelsmentioning

confidence: 99%

Meta-modelling for Ecosystems Security

Caulfield

Ilau

Pym

2022

Simulation Tools and Techniques

View full text Add to dashboard Cite

show abstract

“…Audit logs are themselves a key target for an attacker who needs to erase any trace of their malicious activities; otherwise, they may get caught and then possibly prosecuted. The need for securing audit logging was raised already in different contexts, including hardware [3]; systems [4,5]; file systems [6]; databases [7]; secure logging protocols [8]; distributed systems [2,[10][11][12][13][14]; blockchain [1,[16][17][18][19][20]; and blockchain hardware [28], as well as many others. In this section, we describe some pieces of research in securing audit logging, with particular attention on distributed systems and cloud computing; we describe blockchain-based mechanisms later in the following subsection.…”

Section: Audit Based Systemsmentioning

confidence: 99%

“…Audit logs are used to keep track of important events about system activities and are a fundamental mechanism for digital forensics because they provide information about past and current events and hence, the path of states of a system [2]. The need for protecting logs from attackers was already stated by various researchers in different contexts, in the context of hardware [3]; systems [4,5]; file systems [6]; databases [7]; and secure logging protocols [8]. Companies are currently attracted to migrate to cloud computing services [9].…”

Section: Introductionmentioning

confidence: 99%

RootLogChain: Registering Log-Events in a Blockchain for Audit Issues from the Creation of the Root

López-Pimentel

Morales-Rosales

Monroy

2021

Sensors

View full text Add to dashboard Cite

Logging system activities are required to provide credibility and confidence in the systems used by an organization. Logs in computer systems must be secured from the root user so that they are true and fair. This paper introduces RootLogChain, a blockchain-based audit mechanism that is built upon a security protocol to create both a root user in a blockchain network and the first log; from there, all root events are stored as logs within a standard blockchain mechanism. RootLogChain provides security constructs so as to be deployed in a distributed context over a hostile environment, such as the internet. We have developed a prototype based on a microservice architecture, validating it by executing different stress proofs in two scenarios: one with compliant agents and the other without. In such scenarios, several compliant and non-compliant agents try to become a root and register the events within the blockchain. Non-compliant agents simulate eavesdropper entities that do not follow the rules of the protocol. Our experiments show that the mechanism guarantees the creation of one and only one root user, integrity, and authenticity of the transactions; it also stores all events generated by the root within a blockchain. In addition, for audit issues, the traceability of the transaction logs can be consulted by the root.

show abstract

“…In most cases, analysts act as the backbone in SOCs (security operations center) to correlate various attack stages through reviewing numerous system logs [45]. Unfortunately, as the volume of audit data is typically overwhelming even after reducing noisy logs irrelevant to attacks [27,33,37,38,44,47], it is infeasible to manually analyze cyber threats directly based on audit logs [22,23].…”

Section: Related Workmentioning

confidence: 99%

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Li¹,

Zeng²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

Cyber attacks are becoming more sophisticated and diverse, making detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious efforts of manual cyber intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants.To take advantage of threat intelligence delivered by CTI reports, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the adopted attack techniques. We then aggregate cyber intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs as technique knowledge graphs (TKGs). Such TKGs with technique-level intelligence directly benefit downstream security tasks that rely on technique specifications, e.g., Advanced Persistent Threat (APT) detection.In our evaluation against 1,515 real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises (IoCs). Further, to verify AttacKG's accuracy in extracting threat intelligence, we run AttacKG on eight manually labeled CTI reports. Empirical results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.895, 0.911, and 0.819, which significantly outperforms the state-of-the-art approaches like EXTRACTOR [43] and TTPDrill [30].

show abstract

On the Forensic Validity of Approximated Audit Logs

Cited by 28 publications

References 38 publications

Meta-modelling for Ecosystems Security

Meta-modelling for Ecosystems Security

RootLogChain: Registering Log-Events in a Blockchain for Audit Issues from the Creation of the Root

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Contact Info

Product

Resources

About