Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows

Audit logging is an important approach to cyber attack investigation. However, traditional audit logging either lacks accuracy or requires expensive and complex binary instrumentation. In this paper, we propose a Windows based audit logging technique that features accuracy and low cost. More importantly, it does not require instrumenting the applications, which is critical for commercial software with IP protection. The technique is build on Event Tracing for Windows (ETW). By analyzing ETW log and critical parts of application executables, a model can be constructed to parse ETW log to units representing independent sub-executions in a process. Causality inferred at the unit level renders much higher accuracy, allowing us to perform accurate attack investigation and highly effective log garbage collection.

Author(s):

Shiqing Ma    
Purdue University
United States

Kyuhyung Lee    
University of Georgia
United States

Chunghwan Kim    
Purdue University
United States

Junghwan Rhee    
NEC Laboratories America
United States

Xiangyu Zhang    
Purdue University
United States

Dongyan Xu    
Purdue University
United States