Causal Connections Mining Within Security Event Logs

Performing both security vulnerability assessment and configuration processes are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system's event log provides historical information depicting potential security threats, as well as recording configuration activities. In this paper, a novel technique is developed that can process security event logs on a computer that has been assessed and configured by a security professional, and autonomously establish causality amongst event log entries to learn performed configuration tasks. This extracted knowledge can then be exploited by non-professionals to plan steps that can improve the security of a previously unseen system

Design and Analysis of a Dynamically Configured Log-based Distributed Security Event Detection Methodology

Military and defense organizations rely upon the security of data stored in, and communicated through, their cyber infrastructure to fulfill their mission objectives. It is essential to identify threats to the cyber infrastructure in a timely manner, so that mission risks can be recognized and mitigated. Centralized event logging and correlation is a proven method for identifying threats to cyber resources. However, centralized event logging is inflexible and does not scale well, because it consumes excessive network bandwidth and imposes significant storage and processing requirements on the central event log server. In this paper, we present a flexible, distributed event correlation system designed to overcome these limitations by distributing the event correlation workload across the network of event-producing systems. To demonstrate the utility of the methodology, we model and simulate centralized, decentralized, and hybrid log analysis environments over three accountability levels and compare their performance in terms of detection capability, network bandwidth utilization, database query efficiency, and configurability. The results show that when compared to centralized event correlation, dynamically configured distributed event correlation provides increased flexibility, a significant reduction in network traffic in low and medium accountability environments, and a decrease in database query execution time in the high-accountability case

The Study and Implementation of Network-Based Auditing System with Session Tracking and Monitoring

With consideration of the increasing importance of auditing system and the present auditing systems’ incapability of performing packet reassembling analysis, this research attempts to develop a “network-based auditing system with session tracking and monitoring” to assist network administrators to analyze and rearrange the packets into separate session groups. This developed system is able to reveal every single step of the unauthorized activities. As a result, the administrators can investigate each network session and its transferred data more efficiently, and reduced greatly the time for auditing data analysis. In addition, the event reconstruction simulates the actual event occurred at that time; this feature provides network administrators with more detailed and realistic insight concerning vulnerabilities in network security that need to be fixed. Also, this system keeps track of all network events, and collects related information in a set of auditing files (log files). Moreover, the collected records and reassembled files can serve as evidences in tracing cyber-crimes and as references for recovery process

A Platform for analyzing log files using temporal logic approach: a test case with web server logs

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Systems Security (MSc.ISS) at Strathmore UniversityWeb logs are a set of recorded events between clients and web servers. Information provided by these events is valuable to computer system administrators, digital forensic investigators and system security personnel during digital investigations. It is important for these entities to understand when certain system events were initiated and by whom. To achieve this, it is fundamental to gather related evidence to the crime from log files. These forensic procedures however pose a major challenge due to large sizes of the web log files, difficulty in understanding and correlating to attack patterns associated to digital crimes. The connections of events that are remotely positioned in the large log files require extensive computational manpower. This dissertation proposes the design, implementation and evaluation of a web log analysis system based on temporal logic and reconstruction. The case study will be on web server misuse. Temporal Logic operators represent system changes over time. The reconstruction of records in web server log files as streams will enable the implementation of temporal logic on the streaming data. The web server attack patterns established will be described by a special subset of temporal logic known as MSFOMTL (Many Sorted First Order Metric Temporal Logic). The attack patterns will be written in a special EPL (Event Processing Language) as queries and be parsed through Esper, a Complex Event Processing (CEP) engine. To ensure the proposed system increases the quality of log analysis process, log analysis will be performed based on a time window mechanism on sorted log files

Simple, Fast, and Accurate Cybercrime Detection on E-Government with Elastic Stack SIEM

Increased public activity in cyberspace (Internet) during the Covid-19 pandemic has also increased cybercrime cases with various attack targets, including E-Government services. Cybercrime is hidden and occurs unnoticed in E-Government, so handling it is challenging for all government agencies. The characteristics of E-Government are unique and different from other service systems in general, requiring extra anticipation for the prevention and handling of cybercrime attack threats. This research proposes log and event data analysis to detect cybercrime in e-Government using System Information and Event Management (SIEM). The main contribution of this research is a simple, fast, and accurate cybercrime detection process in the e-Government environment by increasing the level of log and event data analysis with the SIEM approach. SIEM technology based on machine learning and big data is implemented with Elastic Stack. The implemented technique can be used as a mitigation program against cybercrime threats that often attack and target e-Government. With simple, accurate, and fast cybercrime detection, it is expected to improve e-Government security and increase public confidence in public services organized by government agencies

Secure Logging in between Theory and Practice: Security Analysis of the Implementation of Forward Secure Log Sealing in Journald

This paper presents a security analysis of forward secure log sealing in the journald logging system, which is part of systemd and used in modern Linux distributions. Forward secure log sealing is a cryptographic technique used to ensure the integrity of past log entries even in the event of a full system compromise. We analyze the implementation of this technique in journald, identifying multiple security vulnerabilities resulting from a gap between the model of the cryptographic primitives and their usage in a larger context. In particular one vulnerability allows to forge arbitrary logs for past entries without the validation tool noticing any problem. We demonstrate the found attacks on the journald implementation by providing a concrete security definition for the larger system, an implementation close to the security experiment and a corresponding attacker defeating it when used with a vulnerable version of journald. For the more serious vulnerabilities, we provide patch recommendations, which prevent the implemented attack. Our findings break the security guarantee from log sealing completely, without the error resulting from an inconsistency in the theoretical model nor being a simple implementation mistake. This provides a practical example of the problems that can occur when applying cryptographic primitives to a complex system in reality and that fall in between theory and practice

Ransomware Simulator for In-Depth Analysis and Detection: Leveraging Centralized Logging and Sysmon for Improved Cybersecurity

Abstract Ransomware attacks have become increasingly prevalent and sophisticated, posing significant threats to organizations and individuals worldwide. To effectively combat these threats, security professionals must continuously develop and adapt their detection and mitigation strategies. This master thesis presents the design and implementation of a ransomware simulator to facilitate an in-depth analysis of ransomware Tactics, Techniques, and Procedures (TTPs) and to evaluate the effectiveness of centralized logging and Sysmon, including the latest event types, in detecting and responding to such attacks. The study explores the advanced capabilities of Sysmon as a logging tool and data source, focusing on its ability to capture multiple event types, such as file creation, process execution, and network traffic, as well as the newly added event types. The aim is to demonstrate the effectiveness of Sysmon in detecting and analyzing malicious activities, with an emphasis on the latest features. By focusing on the comprehensive aspects of a cyber-attack, the study showcases the versatility and utility of Sysmon in detecting and addressing various attack vectors. The ransomware simulator is developed using a PowerShell script that emulates various ransomware TTPs and attack scenarios, providing a comprehensive and realistic simulation of a ransomware attack. Sysmon, a powerful system monitoring tool, is utilized to monitor and log the activities associated with the simulated attack, including the events generated by the new Sysmon features. Centralized logging is achieved through the integration of Splunk Enterprise, a widely used platform for log analysis and management. The collected logs are then analyzed to identify patterns, indicators of compromise (IoCs), and potential detection and mitigation strategies. Through the development of the ransomware simulator and the subsequent analysis of Sysmon logs, this research contributes to strengthening the security posture of organizations and improving cybersecurity measures against ransomware threats, with a focus on the latest Sysmon capabilities. The results demonstrate the importance of monitoring and analyzing system events to effectively detect and respond to ransomware attacks. This research can serve as a basis for further exploration of ransomware detection and response strategies, contributing to the advancement of cybersecurity practices and the development of more robust security measures against ransomware threats

Discovering and Utilising Expert Knowledge from Security Event Logs

Security assessment and configuration is a methodology of protecting computer systems from malicious entities. It is a continuous process and heavily dependent on human experts, which are widely attributed to being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system's event logs to determine status of security, such as failures, configuration modifications, system operations etc. However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence, there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. Doing so automatically allows for persistent and methodical testing without an excessive amount of manual time and effort, and makes computer security more accessible to on-experts. In this thesis, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to recommend security improvements. The proposed solution utilises association and causal rule mining techniques to automatically discover relationships in the event log entries. The relationships are in the form of cause and effect rules that define security-related patterns. These rules and other relevant information are encoded into a PDDL-based domain action model. The domain model and problem instance generated from any vulnerable system can then be used to produce a plan-of-action by employing a state-of-the-art automated planning algorithm. The plan can be exploited by non-professionals to identify the security issues and make improvements. Empirical analysis is subsequently performed on 21 live, real world event log datasets, where the acquired domain model and identified plans are closely examined. The solution's accuracy lies between 73% - 92% and gained a significant performance boost as compared to the manual approach of identifying event relationships. The research presented in this thesis is an automation of extracting knowledge from event data steams. The previous research and current industry practices suggest that this knowledge elicitation is performed by human experts. As evident from the empirical analysis, we present a promising line of work that has the capacity to be utilised in commercial settings. This would reduce (or even eliminate) the dire and immediate need for human resources along with contributing towards financial savings