Name
Abstract | ||
|---|---|---|
The damage caused by Advanced Persistent Threat (APT) attacks to governments and large enterprises is gradually escalating. Once an attack event is detected, forensic analysis will use the dependencies between system audit logs to rapidly locate intrusion points and determine the impact of the attacks. Due to the high persistence of APT attacks, huge amounts of data will be stored to meet the needs of forensic analysis, which not only brings great storage overhead, but also sharply increases the computing costs. To compact data without affecting forensic analysis, several methods have been proposed. However, in real-world scenarios, we meet the problems of weak cross-platform capability, large data processing overhead, and poor real-time performance, rendering existing data compaction methods difficult to meet the usability and universality requirements jointly. To overcome these difficulties, this paper proposes a general, efficient, and real-time data compaction method at the system log level; it does not involve internal analysis of the program or depend on the specific operating system type, and it includes two strategies: 1) data compaction of maintaining global semantics (GS), which determines and deletes redundant events that do not affect global dependencies, and 2) data compaction based on suspicious semantics (SS). Given that the purpose of forensic analysis is to restore the attack chain, SS performs context analysis on the remaining events from GS and further deletes the parts that are not related to the attack. The results of the real-world experiments show that the compaction ratios of our method to system events are as high as 436x to 13.18x and 7.86x to 26.99x on GS and SS, respectively, which is better than state-of-the-art studies. |
Year | DOI | Venue |
|---|---|---|
2021 | 10.1109/TIFS.2021.3076288 | IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY |
Keywords | DocType | Volume |
Data compaction, advanced persistent threat, forensic analysis | Journal | 16 |
ISSN | Citations | PageRank |
1556-6013 | 0 | 0.34 |
References | Authors | |
0 | 9 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Tiantian Zhu | 1 | 9 | 3.91 |
| Jiayu Wang | 2 | 0 | 0.34 |
| Linqi Ruan | 3 | 0 | 0.34 |
| Chunlin Xiong | 4 | 2 | 1.73 |
| Jinkai Yu | 5 | 0 | 0.34 |
| Yaosheng Li | 6 | 0 | 0.34 |
| Yan Chen | 7 | 5 | 1.46 |
| Mingqi Lv | 8 | 18 | 3.81 |
| Tieming Chen | 9 | 29 | 5.11 |