Files in this item



application/pdfMICHAEL-THESIS-2020.pdf (883kB)Restricted to U of Illinois
(no description provided)PDF


Title:On the forensic validity of approximated audit logs
Author(s):Michael, Noor Sultan
Advisor(s):Bates, Adam
Department / Program:Computer Science
Discipline:Computer Science
Degree Granting Institution:University of Illinois at Urbana-Champaign
Intrusion Detection Systems
Data Provenance
Digital Forensics
Abstract:Auditing is an increasingly essential tool for the defense of computing systems, but the unwieldy nature of log data imposes tremendous burdens on administrators and analysts. To address this issue, a variety of techniques have been proposed for approximating the contents of raw audit logs, facilitating efficient storage and analysis. However, the security value of these approximated logs is difficult to measure - relative to the original log, it is unclear if these techniques retain the forensic evidence needed to effectively investigate threats. Unfortunately, prior work has only been able to investigate this issue anecdotally, demonstrating sufficient evidence is retained for specific attack scenarios. In this work, we address this gap in the literature through formalizing metrics for quantifying the forensic validity of an approximated audit log under differing threat models. In addition to providing quantifiable security arguments for prior work, we also identify a novel point in the approximation design space - that log events describing benign system activity can be aggressively approximated, while events that encode anomalous behavior should be preserved with lossless fidelity. We instantiate this notion of Attack-Preserving forensic validity in Approx, a new approximation technique that eliminates the redundancy of voluminous file I/O associated with benign process activities. We systematically evaluate Approx alongside a corpus of exemplar approximation techniques from prior work. We demonstrate that, while Approx enjoys comparable log reduction rates, it is able to retain 100% of attack-associated log events; in contrast, we make the surprising discovery that prior approaches for log approximation retain as little as 7.3% of forensic evidence under the Attack-Preserving metric. This work thus establishes trustworthy foundations for the design of the next generation of efficient auditing frameworks.
Issue Date:2020-05-13
Rights Information:Copyright 2020 Noor Michael
Date Available in IDEALS:2020-08-26
Date Deposited:2020-05

This item appears in the following Collection(s)

Item Statistics