Kellect: a Kernel-Based Efficient and Lossless Event Log Collector for Windows Security

• URL: http://arxiv.org/abs/2207.11530v2
• Date: Sun, 1 Oct 2023 19:03:41 GMT
• Title: Kellect: a Kernel-Based Efficient and Lossless Event Log Collector for Windows Security
• Authors: Tieming Chen, Qijie Song, Xuebo Qiu, Tiantian Zhu, Zhiling Zhu, Mingqi Lv
• Abstract summary: Existing log collection tools built on ETW for Windows suffer from working shortages, including data loss, high overhead, and weak real-time performance. This paper proposes an efficient and lossless kernel log collector called Kellect, which has open sourced with project at www.kellect.org.
• Score: 5.043058252123722
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Recently, APT attacks have frequently happened, which are increasingly complicated and more challenging for traditional security detection models. The system logs are vital for cyber security analysis mainly due to their effective reconstruction ability of system behavior. existing log collection tools built on ETW for Windows suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still very difficult to apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector called Kellect, which has open sourced with project at www.kellect.org. It takes extra CPU usage with only 2%-3% and about 40MB memory consumption, by dynamically optimizing the number of cache and processing threads through a multi-level cache solution. By replacing the TDH library with a sliding pointer, Kellect enhances analysis performance, achieving at least 9 times the efficiency of existing tools. Furthermore, Kellect improves compatibility with different OS versions. Additionally, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security behavior analysis. With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing TTPs from the latest ATT&CK. To our knowledge, it is the first open benchmark dataset representing ATT&CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT study.

Related papers

• PARIS: A Practical, Adaptive Trace-Fetching and Real-Time Malicious Behavior Detection System [6.068607290592521]
  We propose adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior.
  arXiv  Detail & Related papers  (2024-11-02T14:52:04Z)
• CICAPT-IIOT: A provenance-based APT attack dataset for IIoT environment [1.841560106836332]
  Industrial Internet of Things (IIoT) is a transformative paradigm that integrates smart sensors, advanced analytics, and robust connectivity within industrial processes. Advanced Persistent Threats (APTs) pose a particularly grave concern due to their stealthy, prolonged, and targeted nature. CICAPT-IIoT dataset presents foundation for developing holistic cybersecurity measures.
  arXiv  Detail & Related papers  (2024-07-15T23:08:34Z)
• Efficient Architecture Search via Bi-level Data Pruning [70.29970746807882]
  This work pioneers an exploration into the critical role of dataset characteristics for DARTS bi-level optimization. We introduce a new progressive data pruning strategy that utilizes supernet prediction dynamics as the metric. Comprehensive evaluations on the NAS-Bench-201 search space, DARTS search space, and MobileNet-like search space validate that BDP reduces search costs by over 50%.
  arXiv  Detail & Related papers  (2023-12-21T02:48:44Z)
• LogShield: A Transformer-based APT Detection System Leveraging Self-Attention [2.1256044139613772]
  This paper proposes LogShield, a framework designed to detect APT attack patterns leveraging the power of self-attention in transformers. We incorporate customized embedding layers to effectively capture the context of event sequences derived from provenance graphs. Our framework achieved superior F1 scores of 98% and 95% on the two datasets respectively, surpassing the F1 scores of 96% and 94% obtained by LSTM models.
  arXiv  Detail & Related papers  (2023-11-09T20:43:15Z)
• ETAD: A Unified Framework for Efficient Temporal Action Detection [70.21104995731085]
  Untrimmed video understanding such as temporal action detection (TAD) often suffers from the pain of huge demand for computing resources. We build a unified framework for efficient end-to-end temporal action detection (ETAD) ETAD achieves state-of-the-art performance on both THUMOS-14 and ActivityNet-1.3.
  arXiv  Detail & Related papers  (2022-05-14T21:16:21Z)
• ARLIF-IDS -- Attention augmented Real-Time Isolation Forest Intrusion Detection System [0.0]
  Internet of Things and Software Defined Networking leverage lightweight strategies for the early detection of DDoS attacks. It is essential to have a fast and effective security identification model based on low number of features. In this work, a novel Attention-based Isolation Forest Intrusion Detection System is proposed.
  arXiv  Detail & Related papers  (2022-04-20T18:40:23Z)
• VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements [62.93814803258067]
  This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code. Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph. VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
  arXiv  Detail & Related papers  (2021-12-20T22:45:27Z)
• LogLAB: Attention-Based Labeling of Log Data Anomalies via Weak Supervision [63.08516384181491]
  We present LogLAB, a novel modeling approach for automated labeling of log messages without requiring manual work by experts. Our method relies on estimated failure time windows provided by monitoring systems to produce precise labeled datasets in retrospect. Our evaluation shows that LogLAB consistently outperforms nine benchmark approaches across three different datasets and maintains an F1-score of more than 0.98 even at large failure time windows.
  arXiv  Detail & Related papers  (2021-11-02T15:16:08Z)
• Robust and Transferable Anomaly Detection in Log Data using Pre-Trained Language Models [59.04636530383049]
  Anomalies or failures in large computer systems, such as the cloud, have an impact on a large number of users. We propose a framework for anomaly detection in log data, as a major troubleshooting source of system information.
  arXiv  Detail & Related papers  (2021-02-23T09:17:05Z)
• Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
  adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes. We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks. These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
  arXiv  Detail & Related papers  (2020-08-17T07:16:57Z)
• Detecting the Insider Threat with Long Short Term Memory (LSTM) Neural Networks [0.799536002595393]
  In this study, we use deep learning, and most specifically Long Short Term Memory (LSTM) recurrent networks for enabling the detection of insider threats. We demonstrate through a very large, anonymized dataset how LSTM uses the sequenced nature of the data for reducing the search space and making the work of a security analyst more effective.
  arXiv  Detail & Related papers  (2020-07-20T23:29:01Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.