Withdraw
Loading…
On the forensic validity of approximated audit logs
Michael, Noor Sultan
Loading…
Permalink
https://hdl.handle.net/2142/108188
Description
- Title
- On the forensic validity of approximated audit logs
- Author(s)
- Michael, Noor Sultan
- Issue Date
- 2020-05-13
- Director of Research (if dissertation) or Advisor (if thesis)
- Bates, Adam
- Department of Study
- Computer Science
- Discipline
- Computer Science
- Degree Granting Institution
- University of Illinois at Urbana-Champaign
- Degree Name
- M.S.
- Degree Level
- Thesis
- Keyword(s)
- Security
- Privacy
- Intrusion Detection Systems
- Auditing
- Data Provenance
- Digital Forensics
- Abstract
- Auditing is an increasingly essential tool for the defense of computing systems, but the unwieldy nature of log data imposes tremendous burdens on administrators and analysts. To address this issue, a variety of techniques have been proposed for approximating the contents of raw audit logs, facilitating efficient storage and analysis. However, the security value of these approximated logs is difficult to measure - relative to the original log, it is unclear if these techniques retain the forensic evidence needed to effectively investigate threats. Unfortunately, prior work has only been able to investigate this issue anecdotally, demonstrating sufficient evidence is retained for specific attack scenarios. In this work, we address this gap in the literature through formalizing metrics for quantifying the forensic validity of an approximated audit log under differing threat models. In addition to providing quantifiable security arguments for prior work, we also identify a novel point in the approximation design space - that log events describing benign system activity can be aggressively approximated, while events that encode anomalous behavior should be preserved with lossless fidelity. We instantiate this notion of Attack-Preserving forensic validity in Approx, a new approximation technique that eliminates the redundancy of voluminous file I/O associated with benign process activities. We systematically evaluate Approx alongside a corpus of exemplar approximation techniques from prior work. We demonstrate that, while Approx enjoys comparable log reduction rates, it is able to retain 100% of attack-associated log events; in contrast, we make the surprising discovery that prior approaches for log approximation retain as little as 7.3% of forensic evidence under the Attack-Preserving metric. This work thus establishes trustworthy foundations for the design of the next generation of efficient auditing frameworks.
- Graduation Semester
- 2020-05
- Type of Resource
- Thesis
- Permalink
- http://hdl.handle.net/2142/108188
- Copyright and License Information
- Copyright 2020 Noor Michael
Owning Collections
Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at IllinoisDissertations and Theses - Computer Science
Dissertations and Theses from the Dept. of Computer ScienceManage Files
Loading…
Edit Collection Membership
Loading…
Edit Metadata
Loading…
Edit Properties
Loading…
Embargoes
Loading…