Kellect: A Kernel-based efficient and lossless event log collector for windows security

Abstract

Recently, APT attacks have frequently happened, which are increasingly complicated. Research on dynamic detection and tracing of APT via audit logs has been widely of concern. For Windows, ETW(events tracing for Windows) is a well-known built-in kernel-level logs collection framework. However, existing log collection tools built on ETW suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still challenging to directly apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector based on ETW called Kellect. The collector dynamically optimizes the number of cache and processing threads through a multi-level cache for lossless collecting and significantly enhances analysis performance by replacing the native TDH library with a sliding pointer. Furthermore, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security event behavior analysis. Additionally, Kellect has compatibility with different OS versions.

With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time, and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. It only takes extra CPU usage with approximately 2%–3% and about 40MB memory consumption. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing diversity TTPs from the latest ATT&CK. To our best knowledge, it is the first open benchmark dataset representing ATT&CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT studies.