Kellect:一个基于内核的高效无损事件日志收集器,用于windows安全

IF 6.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2025-03-01 Epub Date: 2024-12-05 DOI:10.1016/j.cose.2024.104203
Tieming Chen, Qijie Song, Tiantian Zhu, Xuebo Qiu, Zhiling Zhu, Mingqi Lv
{"title":"Kellect:一个基于内核的高效无损事件日志收集器,用于windows安全","authors":"Tieming Chen,&nbsp;Qijie Song,&nbsp;Tiantian Zhu,&nbsp;Xuebo Qiu,&nbsp;Zhiling Zhu,&nbsp;Mingqi Lv","doi":"10.1016/j.cose.2024.104203","DOIUrl":null,"url":null,"abstract":"<div><div>Recently, APT attacks have frequently happened, which are increasingly complicated. Research on dynamic detection and tracing of APT via audit logs has been widely of concern. For Windows, ETW(events tracing for Windows) is a well-known built-in kernel-level logs collection framework. However, existing log collection tools built on ETW suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still challenging to directly apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector based on ETW called Kellect. The collector dynamically optimizes the number of cache and processing threads through a multi-level cache for lossless collecting and significantly enhances analysis performance by replacing the native TDH library with a sliding pointer. Furthermore, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security event behavior analysis. Additionally, Kellect has compatibility with different OS versions.</div><div>With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time, and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. It only takes extra CPU usage with approximately 2%–3% and about 40MB memory consumption. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing diversity TTPs from the latest ATT&amp;CK. To our best knowledge, it is the first open benchmark dataset representing ATT&amp;CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT studies.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104203"},"PeriodicalIF":6.8000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Kellect: A Kernel-based efficient and lossless event log collector for windows security\",\"authors\":\"Tieming Chen,&nbsp;Qijie Song,&nbsp;Tiantian Zhu,&nbsp;Xuebo Qiu,&nbsp;Zhiling Zhu,&nbsp;Mingqi Lv\",\"doi\":\"10.1016/j.cose.2024.104203\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Recently, APT attacks have frequently happened, which are increasingly complicated. Research on dynamic detection and tracing of APT via audit logs has been widely of concern. For Windows, ETW(events tracing for Windows) is a well-known built-in kernel-level logs collection framework. However, existing log collection tools built on ETW suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still challenging to directly apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector based on ETW called Kellect. The collector dynamically optimizes the number of cache and processing threads through a multi-level cache for lossless collecting and significantly enhances analysis performance by replacing the native TDH library with a sliding pointer. Furthermore, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security event behavior analysis. Additionally, Kellect has compatibility with different OS versions.</div><div>With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time, and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. It only takes extra CPU usage with approximately 2%–3% and about 40MB memory consumption. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing diversity TTPs from the latest ATT&amp;CK. To our best knowledge, it is the first open benchmark dataset representing ATT&amp;CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT studies.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"150 \",\"pages\":\"Article 104203\"},\"PeriodicalIF\":6.8000,\"publicationDate\":\"2025-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S016740482400508X\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"2024/12/5 0:00:00\",\"PubModel\":\"Epub\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482400508X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2024/12/5 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

近年来,APT攻击事件频频发生,攻击内容日趋复杂。利用审计日志对APT进行动态检测和跟踪的研究受到了广泛关注。对于Windows, ETW(Windows的事件跟踪)是一个众所周知的内置内核级日志收集框架。然而,基于ETW构建的现有日志收集工具存在工作不足的问题,包括数据丢失、高开销和较弱的实时性能。因此,直接使用基于etw的Windows工具对APT攻击场景进行分析仍然具有一定的挑战性。为了解决这些问题,本文提出了一种基于ETW的高效无损内核日志收集器Kellect。收集器通过多级缓存动态优化缓存和处理线程的数量,以实现无损收集,并通过使用滑动指针替换本机TDH库来显著提高分析性能。此外,Kellect通过维护事件映射和应用程序调用栈来增强对日志语义的理解,这些调用栈为安全事件行为分析提供了更全面的特征。此外,Kellect兼容不同的操作系统版本。通过大量的实验,Kellect证明了它能够实现从事件生成的内核日志数据的非破坏性、实时和完整的收集,其综合效率是现有工具的9倍。它只需要大约2%-3%的额外CPU使用和大约40MB的内存消耗。作为展示Kellect如何适用于APT的一个杀手级示例,完整的数据日志已被收集为数据集Kellect4APT,该数据集是通过从最新的ATT&;CK实现多样性ttp生成的。据我们所知,这是第一个公开的基准数据集,代表了ATT&;CK技术特定的行为,它可以被高度期望改善更广泛的APT研究。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Kellect: A Kernel-based efficient and lossless event log collector for windows security
Recently, APT attacks have frequently happened, which are increasingly complicated. Research on dynamic detection and tracing of APT via audit logs has been widely of concern. For Windows, ETW(events tracing for Windows) is a well-known built-in kernel-level logs collection framework. However, existing log collection tools built on ETW suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still challenging to directly apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector based on ETW called Kellect. The collector dynamically optimizes the number of cache and processing threads through a multi-level cache for lossless collecting and significantly enhances analysis performance by replacing the native TDH library with a sliding pointer. Furthermore, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security event behavior analysis. Additionally, Kellect has compatibility with different OS versions.
With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time, and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. It only takes extra CPU usage with approximately 2%–3% and about 40MB memory consumption. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing diversity TTPs from the latest ATT&CK. To our best knowledge, it is the first open benchmark dataset representing ATT&CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT studies.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
期刊最新文献
A Multi-Frequency Temporal Spatio-Transformer for adversarially robust IoT intrusion detection Debapt: Ontology-driven multi-agent debate for APT adversary profile construction from cyber threat intelligence CoolTest: Randomness test suited for small data volumes ODHD: On-Demand Helper Data generation for reliable NVM-free key derivation from SRAM PUF From Systematic Threat Search to pentesting: Industrial Control Systems threat models
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1