On the Forensic Validity of Approximated Audit Logs
Transcript of On the Forensic Validity of Approximated Audit Logs
![Page 1: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/1.jpg)
On the Forensic Validity of Approximated Audit Logs
Noor Michael, Jaron Mink, Jason Liu, Sneha Gaur, Wajih Ul Hassan, and Adam Bates
University of Illinois at Urbana-Champaign
1
![Page 2: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/2.jpg)
Audit Logs are Invaluable
2
![Page 3: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/3.jpg)
Audit Logs are Invaluable
● Records history of executed events○ Kernel-level frameworks track application syscalls
3
![Page 4: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/4.jpg)
Audit Logs are Invaluable
[1] Carbon Black. 2018. Global Incident Response Threat Report. https://www. carbonblack.com/global-incident-response-threat-report/november-2018/
● Records history of executed events○ Kernel-level frameworks track application syscalls
● 75% of analysts [1] believe logs are the most important resource when investigating threats
4
![Page 5: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/5.jpg)
Audit Logs are Invaluable… but Burdensome
[1] Carbon Black. 2018. Global Incident Response Threat Report. https://www. carbonblack.com/global-incident-response-threat-report/november-2018/
[2] Lee et. al. LogGC: Garbage Collecting Audit Log. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13)
● Records history of executed events○ Kernel-level frameworks track application syscalls
● 75% of analysts [1] believe logs are the most important resource when investigating threats
[2]
5
![Page 6: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/6.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
6
![Page 7: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/7.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
7
![Page 8: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/8.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
8
Investigation Goal: Determine where process A sent data
![Page 9: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/9.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com>
Original Log
9
Investigation Goal: Determine where process A sent data
![Page 10: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/10.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com> 1: <Proc A, t_0XX send, server.com>
Original Log Approximated Log
10
Investigation Goal: Determine where process A sent data
![Page 11: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/11.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com> 1: <Proc A, t_0XX send, server.com>
Original Log Approximated Log
11
Investigation Goal: Determine where process A sent data
The same conclusion is reached with either log
![Page 12: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/12.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com> 1: <Proc A, t_0XX send, server.com>
Original Log Approximated Log
12
![Page 13: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/13.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com> 1: <Proc A, t_0XX send, server.com>
Original Log Approximated Log
13
Investigation Goal: Determine whether Proc A was using a covert timing channel1
[1] Cabuk, S., Brodley, C. E., & Shields, C. (2004, October). IP covert timing channels: design and detection. In Proceedings of the 11th ACM conference on Computer and communications security
![Page 14: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/14.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com> 1: <Proc A, t_0XX send, server.com>
Original Log Approximated Log
14
Investigation Goal: Determine whether Proc A was using a covert timing channel1
[1] Cabuk, S., Brodley, C. E., & Shields, C. (2004, October). IP covert timing channels: design and detection. In Proceedings of the 11th ACM conference on Computer and communications security
Conclusions may differ!
![Page 15: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/15.jpg)
Audit Log Reduction Techniques
Insight: The entire audit log is not often required
Information may be:● not needed for investigation goal● redundant● reasonably approximated
1: <Proc A, t_001, send, server.com>...
99: <Proc A, t_099, send, server.com> 1: <Proc A, t_0XX send, server.com>
Original Log Approximated Log
15
Investigation Goal: Determine whether Proc A was using a covert timing channel1
[1] Cabuk, S., Brodley, C. E., & Shields, C. (2004, October). IP covert timing channels: design and detection. In Proceedings of the 11th ACM conference on Computer and communications security
Conclusions may differ!
How much information is kept for arbitrary goals under different threat models?
![Page 16: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/16.jpg)
Formalizing Forensic Metrics
16
![Page 17: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/17.jpg)
Formalizing Forensic Metrics
17
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 18: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/18.jpg)
Formalizing Forensic Metrics
18
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 19: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/19.jpg)
Formalizing Forensic Metrics
19
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 20: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/20.jpg)
Formalizing Forensic Metrics
20
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 21: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/21.jpg)
Formalizing Forensic Metrics
21
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 22: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/22.jpg)
Formalizing Forensic Metrics
22
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 23: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/23.jpg)
Formalizing Forensic Metrics
23
Provenance Graph
Nodes: System Objects
Edges: Causal Events
![Page 24: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/24.jpg)
Formalizing Forensic Metrics
24
![Page 25: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/25.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
25[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
![Page 26: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/26.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
26[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
![Page 27: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/27.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
27[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
![Page 28: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/28.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
Causality-Preserving(based on Xu et. al.1)
Threat Model: Abides by system level abstractions
Preserves: Information flow
28[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
![Page 29: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/29.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
Causality-Preserving(based on Xu et. al.1)
Threat Model: Abides by system level abstractions
Preserves: Information flow
29[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
![Page 30: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/30.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
Causality-Preserving(based on Xu et. al.1)
Threat Model: Abides by system level abstractions
Preserves: Information flow
30[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Attack-Preserving
Threat Model: Abides by system level abstractions
Preserves: Uniquely Malicious information flow
![Page 31: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/31.jpg)
Formalizing Forensic MetricsLossless
Threat Model: Diverges from system level abstractions
Preserves: All Information
Causality-Preserving(based on Xu et. al.1)
Threat Model: Abides by system level abstractions
Preserves: Information flow
31[1] Zhang Xu et. al. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Attack-Preserving
Threat Model: Abides by system level abstractions
Preserves: Uniquely Malicious information flow
![Page 32: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/32.jpg)
Formalizing Forensic MetricsLossless Causality-Preserving
32
Attack-Preserving
![Page 33: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/33.jpg)
Formalizing Forensic MetricsLossless Causality-Preserving
33
Attack-Preserving
![Page 34: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/34.jpg)
Formalizing Forensic MetricsLossless Causality-Preserving
34
Attack-Preserving
![Page 35: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/35.jpg)
Formalizing Forensic MetricsLossless Causality-Preserving
35
Attack-Preserving
![Page 36: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/36.jpg)
Formalizing Forensic MetricsLossless Causality-Preserving
36
Attack-Preserving
![Page 37: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/37.jpg)
LogApprox
37
![Page 38: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/38.jpg)
LogApprox
38
![Page 39: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/39.jpg)
LogApprox
39
![Page 40: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/40.jpg)
LogApprox
40
![Page 41: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/41.jpg)
LogApprox
41
![Page 42: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/42.jpg)
LogApprox
42
![Page 43: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/43.jpg)
LogApprox
43
![Page 44: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/44.jpg)
LogApprox
44
![Page 45: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/45.jpg)
LogApprox
45
![Page 46: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/46.jpg)
LogApprox
46
![Page 47: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/47.jpg)
LogApprox
Reduction Opportunities● Most system events are file
IO events!○ Related files unable to
be causally reduced
47
![Page 48: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/48.jpg)
LogApprox
Reduction Opportunities● Most system events are file
IO events!○ Related files unable to
be causally reduced
LogApprox Reduction:● Coalesce repetitive IO
activity via regexes
48
![Page 49: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/49.jpg)
LogApprox
49
![Page 50: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/50.jpg)
LogApprox
50
Filepaths for Firefox.exe/Cache/11/page1.html/Cache/12/page2.html/Cache/13/page3.html/lib/libc.so.1/lib/libc.so.6/lib/libc.so.7/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2
![Page 51: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/51.jpg)
LogApprox
51
Filepaths for Firefox.exe
/Cache/12/page2.html/Cache/13/page3.html/lib/libc.so.1/lib/libc.so.6/lib/libc.so.7/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2
Group 1: /Cache/11/page1.html
![Page 52: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/52.jpg)
LogApprox
52
Filepaths for Firefox.exe
/Cache/12/page2.html/Cache/13/page3.html/lib/libc.so.1/lib/libc.so.6/lib/libc.so.7/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2
Group 1: /Cache/11/page1.html
Group by:Filename Similarity: ΑLevenshtein Edit Distance
Path Distance: βNumber of different directories
![Page 53: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/53.jpg)
LogApprox
53
Filepaths for Firefox.exe
/lib/libc.so.1/lib/libc.so.6/lib/libc.so.7/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2
Group 1: /Cache/11/page1.html/Cache/12/page2.html/Cache/13/page3.html
Group by:Filename Similarity: ΑLevenshtein Edit Distance
Path Distance: βNumber of different directories
![Page 54: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/54.jpg)
LogApprox
54
Filepaths for Firefox.exe
/lib/libc.so.6/lib/libc.so.7/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2
Group 1: /Cache/11/page1.html/Cache/12/page2.html/Cache/13/page3.html
Group 2: /lib/libc.so.1
Group by:Filename Similarity: ΑLevenshtein Edit Distance
Path Distance: βNumber of different directories
![Page 55: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/55.jpg)
LogApprox
55
Group by:Filename Similarity: ΑLevenshtein Edit Distance
Path Distance: βNumber of different directories
Group 1: /Cache/11/page1.html/Cache/12/page2.html/Cache/13/page3.html--------------------------------
Group 2: /lib/libc.so.1/lib/libc.so.6/lib/libc.so.7--------------------------------
Group 3:/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2--------------------------------
![Page 56: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/56.jpg)
LogApprox
56
Group 1: /Cache/11/page1.html/Cache/12/page2.html/Cache/13/page3.html--------------------------------/Cache/*/page*
Group 2: /lib/libc.so.1/lib/libc.so.6/lib/libc.so.7--------------------------------/lib/libc.so.*
Group 3:/lib64/libQt3t.so.1/lib64/libQt3t.so.1.1/lib64/libQt3t.so.1.2--------------------------------/lib64/libQt3t.so.1*
Group by:Filename Similarity: ΑLevenshtein Edit Distance
Path Distance: βNumber of different directories
![Page 57: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/57.jpg)
LogApprox
57
Firefox IO Templates:
/Cache/*/page*
/lib/libc.so.*
/lib64/libQt3t.so.1*
![Page 58: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/58.jpg)
LogApprox
58
Firefox IO Templates:
/Cache/*/page*
/lib/libc.so.*
/lib64/libQt3t.so.1*
APPLY
![Page 59: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/59.jpg)
LogApprox
59
APPLY
Firefox IO Templates:
/Cache/*/page*
/lib/libc.so.*
/lib64/libQt3t.so.1*
![Page 60: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/60.jpg)
LogApprox
60
Properties
![Page 61: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/61.jpg)
LogApprox
61
Properties
● Only reduces repetitive local file IO
![Page 62: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/62.jpg)
LogApprox
62
Properties
● Only reduces repetitive local file IO
● IO is only ever approximated
![Page 63: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/63.jpg)
LogApprox
63
LogApprox can receive high reduction rates while preserving anomalous behavior!
Properties
● Only reduces repetitive local file IO
● IO is only ever approximated
![Page 64: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/64.jpg)
Evaluation against Exemplar Reduction Techniques
64
![Page 65: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/65.jpg)
Evaluation against Exemplar Reduction Techniques
Causality-Preserving Reduction by Xu et. al.
65
![Page 66: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/66.jpg)
Evaluation against Exemplar Reduction Techniques
Causality-Preserving Reduction by Xu et. al.
LogGC by Lee et. al.
66
![Page 67: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/67.jpg)
Evaluation against Exemplar Reduction Techniques
Causality-Preserving Reduction by Xu et. al.
LogGC by Lee et. al.
Full and Source Dependence Preserving Reduction by Hossain et. al
67
![Page 68: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/68.jpg)
Evaluation against Exemplar Reduction Techniques
Causality-Preserving Reduction by Xu et. al.
LogGC by Lee et. al.
Full and Source Dependence Preserving Reduction by Hossein et. al
Details of each algorithm in the paper!(and within their respectively published papers!)
68
![Page 69: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/69.jpg)
Forensic Evaluation
Curated set of real-world vulnerabilities and exploits:
● unrealircd1 : IRC Server● vsftpd2 : FTP Server● webmin3 : System Configuration Tool● Wordpress4 : Content Management System● PHP Webshell5 : Generic Web Server● Firefox6 : Web Browser
69
[1] Exploit-DB. 2010. UnrealIRCd 3.2.8.1 - Backdoor Command Execution. [2] Exploit-DB. 2010. UnrealIRCd 3.2.8.1 - Backdoor Command Execution. [3] Exploit-DB. 2019. Webmin 1.920 - Unauthenticated Remote Code Execution [4] Rapid7. 2018. WordPress Admin Shell Upload. [5] Mitre, Server Software Component: Web Shell. Retrieved from https://attack.mitre.org/techniques/T1505/003/, 2019[6] A. D. Keromytis, “Transparent computing engagement 3 data,” https://github.com/darpa-i2o/Transparent-Computing, 2018,
![Page 70: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/70.jpg)
Results
70
![Page 71: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/71.jpg)
Results
71
LosslessForensics
![Page 72: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/72.jpg)
Results
Causality-Preserving Forensics
(all information flow)
72
![Page 73: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/73.jpg)
Results
Causality-Preserving Forensics
(all information flow)
73
![Page 74: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/74.jpg)
Results
Causality-Preserving Forensics
(all information flow)
74
![Page 75: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/75.jpg)
Results
Causality-Preserving Forensics
(all information flow)
75
![Page 76: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/76.jpg)
Results
Causality-Preserving Forensics
(all information flow)
76
![Page 77: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/77.jpg)
Results
Causality-Preserving Forensics
(all information flow)
77
Attack-Preserving Forensics
(uniquely malicious information flow)
![Page 78: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/78.jpg)
Results
Causality-Preserving Forensics
(all information flow)
78
Attack-Preserving Forensics
(uniquely malicious information flow)
![Page 79: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/79.jpg)
Results
Causality-Preserving Forensics
(all information flow)
79
Attack-Preserving Forensics
(uniquely malicious information flow)
![Page 80: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/80.jpg)
Takeaways
80
![Page 81: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/81.jpg)
Validity of reduced logs should not be based on anecdotal studies● Depends on task and threat model● Providing a continuous metric for arbitrary queries is a step in the right
direction
Takeaways
81
![Page 82: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/82.jpg)
Validity of reduced logs should not be based on anecdotal studies● Depends on task and threat model● Providing a continuous metric for arbitrary queries is a step in the right
direction
Reduction techniques can be tailored to specific tasks and threats● Tasks: Source and Full Dependency Preserving● Threat Models: LogApprox
Takeaways
82
![Page 83: On the Forensic Validity of Approximated Audit Logs](https://reader033.fdocuments.net/reader033/viewer/2022043021/626c1df95cd07b2f6f3aaa63/html5/thumbnails/83.jpg)
Thank You!
83