Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack

  • Received : 2020.03.23
  • Accepted : 2020.06.25
  • Published : 2021.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.

Keywords

Acknowledgement

This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. NRF-2017R1D1A3B03032637).

References

  1. A. Nieto and R. Rios, "Cybersecurity profiles based on human-centric IoT devices," Human-centric Computing and Information Sciences, vol. 9, article no. 39, 2019. https://doi.org/10.1186/s13673-019-0200-y
  2. P. K. Sharma, J. H. Ryu, K. Y. Park, J. H. Park, and J. H. Park, "Li-Fi based on security cloud framework for future IT environment," Human-centric Computing and Information Sciences, vol. 8, article no. 23, 2018. https://doi.org/10.1186/s13673-018-0146-5
  3. OpenText, "EnCase software," 2021 [Online]. Available: https://www.guidancesoftware.com.
  4. Exterro Inc., "Forensic Toolkit (FTK)," 2021 [Online]. Available: https://www.exterro.com/forensic-toolkit.
  5. Magnet Forensics, "AXIOM," 2021 [Online]. Available: https://www.magnetforensics.com.
  6. CaTalk, "Top 7 PCs shared by world/domestic," 2020 [Online]. Available: http://catalk.kr/information/desktop-operating-systems.html.
  7. G2 Inc., "Best Operating System," 2021 [Online]. Available: https://www.g2.com/categories/operating-system.
  8. Z. Zhang, C. Wang, and X. Zhou, "A survey on passive image copy-move forgery detection," Journal of Information Processing Systems, vol. 14, no. 1, pp. 6-31, 2018. https://doi.org/10.3745/JIPS.02.0078
  9. C. Wang, H. Zhang, and X. Zhou, "LBP and DWT based fragile watermarking for image authentication," Journal of Information Processing Systems, vol. 14, no. 3, pp. 666-679, 2018. https://doi.org/10.3745/JIPS.03.0096
  10. Microsoft, "Active Directory Domain Services overview," 2017 [Online]. Available: https://docs.microsoft.com/ko-kr/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview.
  11. J. Kim, M. Kwak, S. Lee, and T. Cho, "File tracking technique with active directory event log," in Proceedings of the 2020 World Congress on Information Technology Applications and Services, Seoul, Korea, 2020.
  12. Microsoft, "Audit policy," 2017 [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy.
  13. Microsoft, "Advanced security audit policy settings," 2017 [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.
  14. Microsoft, "Basic security audit policies," 2017 [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies.
  15. Microsoft, "5145(S, F): a network share object was checked to see whether client can be granted desired access," 2017 [Online]. Available: https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-5145.
  16. K. Kim and Y. Cho, "Multi-index approach to search Chinese, Japanese, and Korean text with Elasticsearch 6.6," Proceedings of International Conference on Future Information & Communication Engineering , vol. 11, no. 1, pp. 257-260, 2019.
  17. S. Persada, A. Oktavianto, B. Miraja, R. Nadlifatin, P. Belgiawan, and A. P. Redi, "Public perceptions of online learning in developing countries: a study using the ELK Stack for sentiment analysis on twitter," International Journal of Emerging Technologies in Learning (iJET), vol. 15, no. 9, pp. 94-109, 2020. https://doi.org/10.3991/ijet.v15i09.11579
  18. ElasticSearch, "ELK Stack," 2021 [Online]. Available: https://www.elastic.co/what-is/elk-stack.
  19. J. Park and J. Hyun, "Web artifacts visualization using ElasticSearch and Kibana," in Proceedings of the IEEK Summer Conference, 2019, pp. 1350-1353.
  20. Y. Kim and T. Shon, "Cyber-threat detection of ICS using Sysmon and ELK," Journal of the Korea Institute of Information Security & Cryptology, vol. 29, no. 2, pp. 331-346, 2019. https://doi.org/10.13089/JKIISC.2019.29.2.331
  21. B. H. Lee and D. M. Yang, "A security log analysis system using Logstash based on Apache Elasticsearch," Journal of the Korea Institute of Information and Communication Engineering, vol. 22, no. 2, pp. 382-389, 2018. https://doi.org/10.6109/jkiice.2018.22.2.382
  22. J. Kim, M. Kwak, S. Lee, and T. Cho, "File tracking technique with active directory event log," in Proceedings of the 14th KIPS International Conference on Ubiquitous Information Technologies and Applications, Macau, China, 2019.
  23. J. Krause, Mastering Windows Server 2016. Birmingham, UK: Packt Publishing, 2016.