/Audit-log-analysis

Have fun with audit log analysis :)

Audit log Analysis

Endpoint monitoring solutions (e.g., Elastic, Splunk) are widely deployed in today’s enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents.

Note that audit logs are different from application logs, which are generated by the application code at the developer's will. Audit logs are generated by the Operating system regardless of the application's code.

I highly suggest the beginners start their log analysis journey from Backtracking intrusions as this study is the pioneer at this line of research.

Dataset

The DARPA dataset is a publicly available APT attack dataset released by the DARPA Transparent Computing (TC) program. The dataset was derived from a network of hosts during a two-week-long red-team vs. blue-team adversarial Engagement.

Survey

  • Threat Detection and Investigation with System-level Provenance Graphs: A Survey. Zhenyuan, et al. Computer & Security'2021 paper
  • SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions, Muhammad Adil Inam, et al. SP'2023 paper
  • Are we there yet? An Industrial Viewpoint on Provenance-based Endpoint Detection and Response Tools. Feng Dong, et al. CCS'2023 paper

Definition

Every event in audit logs represents an OS-level system activity such as process creation, file access, and network connection. Here, we use read and execve activities as examples to illustrate log events.

READ Event:
type=PROCTITLE msg=audit(08/26/19 20:34:53.383:98866813) : proctitle=bash 
type=SYSCALL msg=audit(08/26/19 20:34:53.383:98866813) : arch=x86_64 syscall=read success=yes exit=25 a0=0x3 a1=0x7ffedcf386a0 a2=0x80 a3=0x7fa5c53f19d0 items=0 ppid=15757 pid=30204 auid=junzeng uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts21 ses=6309 comm=service exe=/bin/dash key=(null) 

EXECVE Event:
type=PROCTITLE msg=audit(16/05/2019 16:18:30.752:49036555) : proctitle=ls /etc/bash_completion.d 
type=PATH msg=audit(16/05/2019 16:18:30.752:49036555) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=135768 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(16/05/2019 16:18:30.752:49036555) : item=0 name=/bin/ls inode=6815827 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(16/05/2019 16:18:30.752:49036555) : cwd=/home/junzeng 
type=EXECVE msg=audit(16/05/2019 16:18:30.752:49036555) : argc=2 a0=ls a1=/etc/bash_completion.d 
type=SYSCALL msg=audit(16/05/2019 16:18:30.752:49036555) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x170e168 a1=0x1847cc8 a2=0x1807008 a3=0x598 items=2 ppid=10738 pid=10739 auid=junzeng uid=junzeng gid=junzeng euid=junzeng suid=junzeng fsuid=junzeng egid=junzeng sgid=junzeng fsgid=junzeng tty=pts21 ses=287 comm=ls exe=/bin/ls key=(null)  

Generation

Tool

  • Linux Auditd/Auditbeat: kernel-level tracing facility for Linux. Here is a simplified version of auditd rules used in our research project WATSON.
  • Windows ETW: kernel-level tracing facility for Windows
  • FreeBSD Dtrace: kernel-level tracing facility for FreeBSD

Literature

  • Forensix: A robust, high-performance reconstruction system. A. Goel, et al. Distributed computing systems workshops 2005 paper
  • PASS: Provenance-aware storage systems. K. Muniswamy-Reddy, et al. ATC'2006 paper
  • Layering in provenance systems. K.-K. Muniswamy-Reddy, et al. Security'2009 paper
  • Trail of bytes: efficient support for forensic analysis. S. Krishnan, K. Z. Snow, and F. Monrose. CCS'2010 paper
  • Hi-fi: collecting high-fidelity whole-system provenance. D. J. Pohly, et al. CCS'2012 paper
  • Spade: support for provenance auditing in distributed environments. A. Gehani and D. Tariq. International Middleware Conference 2012 paper
  • LPM: Trustworthy whole-system provenance for the linux kernel. A. Bates. et al. Security'2015 paper
  • Transparent Web Service Auditing via Network Provenance Functions. A. Bates, et al. WWW'2017 paper
  • Fear and logging in the internet of things. Q. Wang, et al. NDSS'2018 paper
  • Kernel-Supported Cost-Effective Audit Logging for Causality Tracking. S. Ma, et al. ATC'2018 paper
  • Xanthus: Push-button Orchestration of Host Provenance Data Collection. Han X., et al. P-RECS'2020 paper
  • CLARION: Sound and Clear Provenance Tracking for Microservice Deployments. Chen X. Security'2021 paper
  • ALASTOR: Reconstructing the Provenance of Serverless Intrusions. P. Datta., et al. Security'2022 paper
  • ProvTalk: Towards Interpretable Multi-level Provenance Analysis in Networking Functions Virtualization (NFV). Tabiban A., et al. NDSS'2022 paper
  • Towards Efficient Auditing for Real-Time Systems. Bansal A., et al. ESORICS'2022 paper
  • eAudit: A Fast, Scalable and Deployable Audit Data Collection System. R. Sekar, et al. paper.

SIEM

Forensic Analysis

  • Backtracking intrusions. King, et al. SOSP'2003 paper
  • Enriching intrusion alerts through multi-host causality. S. T. King, et al. NDSS'2005 paper
  • The taser intrusion recovery system. A. Goel, et al. ASPLOS'2005 paper
  • Provenance-aware tracing ofworm break-in and contaminations: A process coloring approach. X. Jiang et al. ICDCS'2006 paper
  • Intrusion recovery using selective re-execution. T. Kim, et al. OSDI'2010 paper
  • Integrating ids alert correlation and os-level dependency tracking. Y. Zhai, et al. Intelligence and Security Informatics 2016 paper
  • CamFlow: Practical whole-system provenance capture. Pasquier, et al. Cloud Computing 2017 paper
  • SLEUTH: Real-time attack scenario reconstruction from COTS audit data. M. N. Hossain, et al. Security'2017 paper
  • Towards a timely causality analysis for enterprise security. Y. Liu, et al. NDSS'2018 paper
  • LPROV: Practical Library-aware Provenance Tracing. F. Wang, et al. ACSAC'2018 paper
  • This is Why We Can't Cache Nice Things: Lightning-Fast Threat Hunting using Suspicion-Based Hierarchical Storage. W. U. Hassan, et al. ACSAC'2020 paper
  • WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics. Jun Z, et al. NDSS'2021 paper
  • Forensic Analysis of Configuration-based Attacks. M. Adil Inam, et al. NDSS'2022 paper
  • Back-Propagating System Dependency Impact for Attack Investigation. PengCheng Fang, et al. Security'2022 paper
  • DEPCOMM: Graph Summarization on System Audit Logs for Attack Investigation. Zhiqiang Xu, et al. SP'2022 paper
  • RAPID: Real-Time Alert Investigation with Context-aware Prioritization for Efficient Threat Discovery. Yushan Liu, et al. ACSAC'2022 paper

Attack Detection

  • Detecting intrusions using system calls: Alternative data models. C. Warrender, et al. SP'1999 paper
  • Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach. X. Jiang, et al. ICDCS'2006 paper
  • On the learning of system call attributes for host-based anomaly detection. G. Tandon and P. K. Chan. IJAIT'2006 paper
  • Detecting insider threats in a real corporate database of computer usage activity. E. Ted, et al. KDD'2013 paper
  • Malicious behavior detection using Windows audit logs. K. Berlin, et al. AISec'2015 paper
  • Detection of early-stage enterprise infection by mining large-scale log data. A. Oprea, et al. SDN'2015 paper
  • Entity embedding-based anomaly detection for heterogeneous categorical events. T. Chen, et al. IJCAI'2016 paper
  • Hercule: Attack story reconstruction via community discovery on correlated log graph, K. Pei, et al. ACSAC'2016 paper
  • Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs. E. Manzoor, et al. KDD'2016 paper
  • Efficient Discovery of Abnormal Event Sequences in Enterprise Secur. B. Dong, et al. CIKM'2017 paper
  • Collaborative Alert Ranking for Anomaly Detection. Y. Lin, et al. CIKM'2018 paper
  • Heterogeneous Graph Matching Networks for Unknown Malware Detection. S. Wang, et al. IJCAI'2019 paper
  • Holmes: real-time apt detection through correlation of suspicious information flows, S. M. Milajerdi, et al. SP'2019 paper
  • Nodoze: Combatting threat alert fatigue with automated provenance triage. W. U. Hassan, et al. NDSS'2019 paper
  • UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. Han, Xueyuan, et al. NDSS'2020 paper
  • You are what you do: Hunting stealthy malware via data provenance analysis. Wang, Qi, et al. NDSS'2020 paper
  • Tactical Provenance Analysis for Endpoint Detection and Response Systems. W. U. Hassan, et al. SP'2020 paper
  • ATLAS: A Sequence-based Learning Approach for Attack Investigation. A. Alsaheel, et al. Security'2021 paper
  • SIGL: Securing Software Installations Through Deep Graph Learning. Han Xueyuan, et al. Security'2021 paper
  • TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection. Hassaan Irshad, et al. Information Forensic and Security'2021 paper
  • ShadeWatcher: Recommendation-guided Cyber Threat Analysis using System Audit Records. Jun Zeng, et al. SP'2022 paper
  • DISTDET: A Cost-Effective Distributed Cyber Threat Detection System. Feng Dong, et al. Security'2023 paper
  • PROGRAPHER: An Anomaly Detection System based on Provenance GraphEmbedding. Fan Yang, et al. Security'2023 paper
  • NodLink: An Online System for Fine-Grained APT Attack Detection and Investigation. Shaofei Li, et al. NDSS'2024 paper
  • MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. Zian Jia, et al. Security'2024 paper
  • You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks. Rafael Uetz, et al. Security'2024 paper
  • KAIROS: Practical Intrusion Detection and Investigation using Whole-system Provenance. Zijun Cheng, et al. SP'2024 paper
  • FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning. Mati Ur Rehman, et al. paper.
  • R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection. Akul Goyal, et al. SP'2024 paper.

Evasion

  • Sometimes, You Aren’t What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems. Akul Goyal, et al. NDSS'2023 paper
  • Evading Provenance-Based ML Detectors with Adversarial System Actions. Kunal Mukherjee, et al. Security'2023 paper

Limitations

Space Overhead

  • Loggc: garbage collecting audit log. K. H. Lee, et al. CCS'2013 paper
  • High fidelity data reduction for big data security dependency analyses. Z. Xu, et al. CCS'2016 paper
  • Protracer: Towards practical provenance tracing by alternating between logging and tainting. S. Ma, X. Zhang, and D. Xu. NDSS 2016 paper
  • Towards scalable cluster auditing through grammatical inference over provenance graphs. W. U. Hassan, et al. NDSS'2018 paper
  • Dependence-preserving data compaction for scalable forensic analysis. M. N. Hossain, et al. Security'2018 paper
  • NodeMerge: Template Based Efficient Data Reduction For Big-Data Causality Analysis. Y. Tang, et al. CCS'2018 paper
  • APTrace: A Responsive System for Agile Enterprise Level Causality Analysis. Gui, et, al. ICDE'2020 paper
  • On the Forensic Validity of Approximated Audit Logs. N. Michael, et al. ACSAC'2020. paper
  • Elise: A Storage Efficient Logging System Powered by Redundancy Reduction and Representation Learning. Hailun Ding, et al. Security'2021. paper
  • SEAL: Storage-efficient Causality Analysis on Enterprise Logs with Query-friendly Compression. P. Fei, et al. Security'2021 paper
  • FAuST: Striking a Bargain between Forensic Auditing’s Security and Throughput. Muhammad Adil Inam, et al. ACSAC'2022 paper
  • The Case for Learned Provenance Graph Storage Systems. Hailun Ding, et al. Security'2023 paper

Dependency Explosion

  • Forensic analysis of file system intrusions using improved backtracking, S. Sitaraman and S. Venkatesan. IWIA'2005 paper
  • Panorama: capturing system-wide information flow for malware detection and analysis. H.Yin, et al. CCS'2007 paper
  • High accuracy attack provenance via binary-based execution partition. K. H. Lee, X. Zhang, and D. Xu. NDSS'2013 paper
  • Accurate, low cost and instrumentation-free security audit logging for windows. S. Ma, et al. ACSAC'2015 paper
  • Protracer: Towards practical provenance tracing by alternating between logging and tainting. S. Ma, X. Zhang, and D. Xu. NDSS 2016 paper
  • LDX: Causality inference by lightweight dual execution, Y. Kwon, et al. ASPLOS'2016 paper
  • MPI: Multiple perspective attack investigation with semantic aware execution partitioning. S. Ma, et al. Security'2017 paper
  • Rain: Refinable attack investigation with on-demand inter-process information flow tracking. Y. Ji, et al. CCS'2017 paper
  • Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. Y. Ji, et al. Security'2018 paper
  • MCI: Modeling-based causality inference in audit logging for attack investigation. Y. Kwon, et al. NDSS'2018 paper
  • Propatrol: Attack investigation via extracted high-level tasks. S. M Milajerdi, et al. Information Systems Security 2018 paper
  • UISCOPE: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications. Runqing Yang, et al. NDSS'2020 paper
  • Omega-Log: High-fidelity attack investigation via transparent multi-layer log analysis. Hassan, Wajih Ul, et al. NDSS'2020 paper
  • Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics. M. N. Hossain, et al. SP'2020 paper
  • ALchemist: Fusing Application and Audit Logs for Precise Attack Provenance without Instrumentation. Le Yu, et al. NDSS'2021 paper
  • Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks. Y. Carter, et al. CCS'2021 paper
  • PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability. Jun and Chuqi, et al. CCS'2022 paper

Query

  • Behavior query discovery in system-generated temporal graphs. B. Zong, et al. VLDB'2015 paper
  • AIQL: Enabling efficient attack investigation from system monitoring data. P.Gao, et al. ATC'2018 paper
  • SAQL: A stream-based query system for real-time abnormal system behavior detection. P.Gao, et al. Security'2018 paper
  • Threat intelligence computing. X. Shu, et al. CCS'2018 paper
  • Runtime Analysis of Whole-System Provenance. T. Pasquier, et al. CCS'2018 paper
  • Graalf: Supporting graphical analysis of audit logs for forensics. O. Setayeshfar, et al. arXiv'2019 paper
  • Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. S. M Milajerdi, et al. CCS'2019 paper

Integrity

  • Forward integrity for secure audit logs. M. Bellare and B. Yee. Tech. Rep. 1997 paper
  • A new approach to secure logging. D. Ma and G. Tsudik. TOS'2009 paper
  • Efficient data structures for tamper-evident logging. S. A. Crosby and D. S. Wallach. Security'2009 paper
  • BAF: An efficient publicly verifiable secure audit logging scheme for distributed systems. A. A. Yavuz and P. Ning. ACSAC'2009 paper
  • Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. FC'2012 paper
  • Sgx-log: Securing system logs with sgx. Karande, Vishal, et al. AsiaCCS'2017 paper
  • Practical and robust secure logging from fault-tolerant sequential aggregate signatures. G. Hartung, et al. ProvSec'2017 paper
  • Custos: Practical tamper-evident auditing of operating systems using trusted execution. Paccagnella Riccardo, et al. NDSS'2020 paper
  • Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks. Paccagnella Riccardo, et al. CCS'2020 paper
  • HardLog: Practical Tamper-Proof System Auditing Using a Novel Audit Device. Adil Ahmad, et al. SP'2022 paper

CTI

  • TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources. Ghaith Husari, et al. ACSAC'2017 paper
  • Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. S. M Milajerdi, et al. CCS'2019 paper
  • Cyber Threat Intelligence Modeling Based on Heterogeneous Graph Convolutional Network. Jun Zhao, et al. RAID'2020 paper
  • Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. Peng Gao, et al. arXiv'2020 paper
  • Extractor: Extracting Attack Behavior from Threat Reports. Kiavash Satvat, et al. EuroSP'2021 paper