WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

Zeng, Jun; Chua, Zheng Leong; Chen, Yinfang; Ji, Kaihang; Liang, Zhenkai; Mao, Jian

doi:10.14722/ndss.2021.24549

Cited by 36 publications

(23 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Audit logs are themselves a key target for an attacker who needs to erase any trace of their malicious activities; otherwise, they may get caught and then possibly prosecuted. The need for securing audit logging was raised already in different contexts, including hardware [3]; systems [4,5]; file systems [6]; databases [7]; secure logging protocols [8]; distributed systems [2,[10][11][12][13][14]; blockchain [1,[16][17][18][19][20]; and blockchain hardware [28], as well as many others. In this section, we describe some pieces of research in securing audit logging, with particular attention on distributed systems and cloud computing; we describe blockchain-based mechanisms later in the following subsection.…”

Section: Audit Based Systemsmentioning

confidence: 99%

“…Audit logs are used to keep track of important events about system activities and are a fundamental mechanism for digital forensics because they provide information about past and current events and hence, the path of states of a system [2]. The need for protecting logs from attackers was already stated by various researchers in different contexts, in the context of hardware [3]; systems [4,5]; file systems [6]; databases [7]; and secure logging protocols [8]. Companies are currently attracted to migrate to cloud computing services [9].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

RootLogChain: Registering Log-Events in a Blockchain for Audit Issues from the Creation of the Root

López-Pimentel

Morales-Rosales

Monroy

2021

Sensors

View full text Add to dashboard Cite

Logging system activities are required to provide credibility and confidence in the systems used by an organization. Logs in computer systems must be secured from the root user so that they are true and fair. This paper introduces RootLogChain, a blockchain-based audit mechanism that is built upon a security protocol to create both a root user in a blockchain network and the first log; from there, all root events are stored as logs within a standard blockchain mechanism. RootLogChain provides security constructs so as to be deployed in a distributed context over a hostile environment, such as the internet. We have developed a prototype based on a microservice architecture, validating it by executing different stress proofs in two scenarios: one with compliant agents and the other without. In such scenarios, several compliant and non-compliant agents try to become a root and register the events within the blockchain. Non-compliant agents simulate eavesdropper entities that do not follow the rules of the protocol. Our experiments show that the mechanism guarantees the creation of one and only one root user, integrity, and authenticity of the transactions; it also stores all events generated by the root within a blockchain. In addition, for audit issues, the traceability of the transaction logs can be consulted by the root.

show abstract

Section: Audit Based Systemsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

RootLogChain: Registering Log-Events in a Blockchain for Audit Issues from the Creation of the Root

López-Pimentel

Morales-Rosales

Monroy

2021

Sensors

View full text Add to dashboard Cite

show abstract

“…Threat Detection with Cyber Intelligence Recent advancements of causality analysis in system auditing [19,31,32,42] have enabled security investigators to detect cyber attacks with multiple stages. However, audit logs monitor general-purpose system activities and thus lack the knowledge of high-level behaviors [48]. In most cases, analysts act as the backbone in SOCs (security operations center) to correlate various attack stages through reviewing numerous system logs [45].…”

Section: Related Workmentioning

confidence: 99%

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Li¹,

Zeng²,

Chen³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Cyber attacks are becoming more sophisticated and diverse, making detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious efforts of manual cyber intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants.To take advantage of threat intelligence delivered by CTI reports, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the adopted attack techniques. We then aggregate cyber intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs as technique knowledge graphs (TKGs). Such TKGs with technique-level intelligence directly benefit downstream security tasks that rely on technique specifications, e.g., Advanced Persistent Threat (APT) detection.In our evaluation against 1,515 real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises (IoCs). Further, to verify AttacKG's accuracy in extracting threat intelligence, we run AttacKG on eight manually labeled CTI reports. Empirical results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.895, 0.911, and 0.819, which significantly outperforms the state-of-the-art approaches like EXTRACTOR [43] and TTPDrill [30].

show abstract

“…The other group of approaches is more systemcentric and mainly seeks to developing capabilities that can either identify suspicious patterns in system execution in relation to previously observed attacker actions [6,[19][20][21] or characterize the normal system behavior through developing models [8,[22][23][24]. More recently, as part of DARPA's Transparent Computing (TC) program [25,26] a new wave of techniques based on data provenance analysis has appeared.…”

Section: Introductionmentioning

confidence: 99%

Exploration of Enterprise Server Data to Assess Ease of Modeling System Behavior

Altinisik¹,

Sencar²,

Nabeel³

et al. 2022

Preprint

View full text Add to dashboard Cite

Enterprise networks are one of the major targets for cyber attacks due to the vast amount of sensitive and valuable data they contain. A common approach to detecting attacks in the enterprise environment relies on modeling the behavior of users and systems to identify unexpected deviations. The feasibility of this approach crucially depends on how well attack-related events can be isolated from benign and mundane system activities. Despite the significant focus on end-user systems, the background behavior of servers running critical services for the enterprise is less studied. To guide the design of detection methods tailored for servers, in this work, we examine system event records from 46 servers in a large enterprise obtained over a duration of ten weeks. We analyze the rareness characteristics and the similarity of the provenance relations in the event log data. Our findings show that server activity, in general, is highly variant over time and dissimilar across different types of servers. However, careful consideration of profiling window of historical events and service level grouping of servers improve rareness measurements by 24.5%. Further, utilizing better contextual representations, the similarity in provenance relationships could be improved. An important implication of our findings is that detection techniques developed considering experimental setups with non-representative characteristics may perform poorly in practice.

show abstract

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

Cited by 36 publications

References 37 publications

RootLogChain: Registering Log-Events in a Blockchain for Audit Issues from the Creation of the Root

RootLogChain: Registering Log-Events in a Blockchain for Audit Issues from the Creation of the Root

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Exploration of Enterprise Server Data to Assess Ease of Modeling System Behavior

Contact Info

Product

Resources

About