Abstract | ||
---|---|---|
In the context of Advanced Persistent Threat-s(APTs), system audit log-based intrusion forensics has been proposed to carry out attack investigation. System audit log is highly suitable for intrusion forensics because it records the interactions among system entities in detail. However, system audit log has a fatal shortcoming due to its massive growth of log size. To address this issue, this paper proposes a compression scheme for system audit log named T-Tracker. Firstly, T-Tracker detects the events that communicate with external data sources and generates the initial taint set. Then it tracks the diffusion of the taint according to the audit log. By retaining the events on diffusion path only, we can achieve log compression. Our evaluation with different system workloads and attack cases demonstrates that our approach can achieve significant log compression without affecting the accuracy of intrusion forensics. |
Year | DOI | Venue |
---|---|---|
2018 | 10.1109/PADSW.2018.8645035 | 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS) |
Keywords | Field | DocType |
Conferences | Intrusion,Computer science,Audit trail,Real-time computing,Information technology audit | Conference |
ISSN | ISBN | Citations |
1521-9097 | 978-1-5386-7308-9 | 0 |
PageRank | References | Authors |
0.34 | 0 | 5 |