As an essential element for log analysis, the system kernel-based event can be effectively employed in the hybrid computing environment integrated with cloud, edge, and endpoint for intelligent threat detection. However, the issues of massiveness, heterogeneity, and semantic redundancy have become the biggest challenges in event-based security analysis. Unfortunately, there is no comprehensive tool to collect and analyze its kernel logs for the widely used OS Windows. This paper proposes a kernel-based event log collector named Kellect, a multi-thread tool built on ETW(events tracing for Windwos). Kellect can provide very compressed but most valuable kernel event data for general-purpose analysis on software anomaly detection. Experimental results in real-world show that Kellect can collect kernel event logs generated from FileIO, Process, Thread, Images, Register, and Network, with efficient and lossless. The total performance is three times higher than that of existing tools. The CPU cost stays only at around 1%, while the memory consumption is less than 50MB. As an important application case, the data collected by Kellect is proved to be utilized to build proper model to detect APT after transformed into provenance graphs with complete semantics. At last, a large experiments for the full techniques from ATT&CK are conducted, and the full relevant log dataset is collected using Kellect. To our best knowledge, it is the first precise and public benchmark sample dataset for kernel event-based APT detection.
翻译:作为日志分析的一个基本要素,系统内核事件可以在混合计算环境中有效使用,与云层、边缘和端点结合,用于智能威胁探测。然而,大规模、异质性和语义冗余问题已成为基于事件的安全分析的最大挑战。不幸的是,没有全面的工具来收集和分析广泛使用的OS Windows的内核日志。本文件建议使用一个以内核为基础的事件日志采集器,名为Kelect,这是在ETW(Windwos的事件跟踪)上建立的多样本工具。Kelect可以提供非常压缩但最有价值的事件内核事件数据,用于软件异常检测方面的一般目的分析。现实世界的实验结果显示,Kelect可以收集来自FileIO、程序、Tread、图像、登记册和网络的内核事件日志,高效且无损。总体性比现有工具高三倍。CPUC的成本仅保持在1%左右,而记忆消耗量则少于50MB。作为一个重要的应用案例,KLCPT在使用最新数据库后,将数据转换成一个最新的数据库,在使用最新测试后,将数据转换成一个最新的数据库,在最后的KLBLB 。