SlideShare a Scribd company logo

Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach

Kabul Kurniawan
Kabul Kurniawan

These slides have been presented virtually at the IFIP SEC 2020 on 23th September 2020, for the full paper please download at this link : https://link.springer.com/chapter/10.1007/978-3-030-58201-2_26 *Abstract: Ensuring data confidentiality and integrity are key concerns for information security professionals, who typically have to obtain and integrate information from multiple sources to detect unauthorized data modifications and transmissions. The instrumentation that operating systems provide for the monitoring of file system level activity can yield important clues on possible data tampering and exfiltration activity but the raw data that these tools provide is difficult to interpret, contextualize and query. In this paper, we propose and implement an architecture for file system activity log acquisition, extraction, linking, and storage that leverages semantic techniques to tackle limitations of existing monitoring approaches in terms of integration, contextualization, and cross-platform interoperability. We illustrate the applicability of the proposed approach in both forensic and monitoring scenarios and conduct a performance valuation in a virtual setting

Data & Analytics
1 of 28
Download to read offline
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach Kabul Kurniawan, Andreas Ekelhart Fajar Ekaputra, Elmar Kiesling This work was sponsored by the Austrian Science Fund (FWF) and netidee SCIENCE under grant P30437- N31, and the COMET K1 program by the Austrian Research Promotion Agency.
Motivation • Increasing collection of sensitive data.. • the number and size of data breaches have been on the rise .. • 4.1 billion records in the first half of 2019 (Verizon) • USD 3.86 million average total cost/incident in 2020 (IBM) • Sophisticated attack tactics/techniques.. • exfiltration of sensitive data is often difficult to detect.. • 280 days on average to identify and contain a breach (IBM) 2 (External) Insider
Challenges in Log Analysis Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 3 Dispersed ICT Asset Information Dispersed Cybersecurity information Manually searching log data and comparing related information to understand attack/event chains is a tedious & time consuming process!
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Syntactic heterogeneity Semantic heterogeneity Inconsistent identifiers Windows Eventlog Firewall- Log Linux AuthlogLog Data HeterogeneitySyslog 4
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan • File Activity Monitoring • Statistical analysis to identify anomalies (Hu Y., 2011) • Policy based OS call provenance for data leakage detection (Awad, 2016) • OS kernel provenance to detect exfiltration from a database (Daren, 2019) • Deep learning model to predict insider threats (Bhavsar, 2018) • File System Ontologies & Semantic Approaches for File Monitoring • TripFS : File exploration framework based on linked data using the NEPOMUK File Ontology (Schand, 2010), VDB-FilePub (Shen, 2011), Semantic File System (SFS) (Mashwani, 2018) • Existing Tools & SIEMs: Commercially tools : e.g. SolarWinds, PA File Insight, STEALTHbits File Activity Monitor, and Decision File Audit. SIEMs: e.g. LogDNA, Splunk, ElasticSearch State of The Art 5 Research Gaps: • Mainly focus on regular expression, rule-based classification, and statistical log analysis, etc. • Lack of interoperability, contextualization and linking to cybersecurity information. • Existing tools provide simple alerting upon suspicious activity. • Existing SIEMs do not specifically tackle the problem of file activity tracking.
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Standards-based SPARQL RDF JSON-LD Graph-based flexible querying flexible schemas context-rich representation terminological clarity Explicit Semantics reasoning integration “machine-readability” Decentralization alignment linking federation reconciliation sharing 6 Semantic Web Technologies • Flexible schema for unstructured, semi-structured log data (xml, json, csv, etc.) • Semantic integration of heterogeneous security- related data (Win log, Linux Audit log, etc.) • Contextualization and linking to external & internal background knowledge (IT Assets, Cybersecurity Information, etc.) • Stream Reasoning over security-related log data (e.g. for real-time file activity monitoring) • Standard Query language for log analysis & forensic Potential solution for the security domain Addressing the current gaps in file activity monitoring & forensics
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 7 Proposed Approach RDF/OWL Ontology: • Vocabulary (e.g. Low level Log Ontology, Event Ontology etc.) • Background Knowledge (e.g. IT Assets, Cybersecurity Information) 1. Conceptual Modelling • Log Acquisition and Extraction • Log Transformation (i.e. RDF Mapping) • Event Extraction & Linking 2. Semantic Log Processing • Event Monitoring via Semantic Continuous Querying over log streams • Log Analysis and Forensics through SPARQL-Queries 3. Semantic Log Analysis and Monitoring
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Conceptual Modelling: Ontology Construction 8 Bottom-up approach Log Entry Ontology (e.g. Windows, Linux Log Ontology) File Operation/Access Event Ontology High-level events (output) Low – level information from log sources (e.g. Windows, Linux) (Input)
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Conceptual Modelling : Log Entry & File Access ontology 9 Windows Log Ontology Linux Log Ontology File Access Ontology
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan System Architecture 10
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: Log Acquisition & Extraction { "timestamp":"2018−04−09T07:37:47.000Z", “message”:”Mounted Huge Pages File System”, "program":"systemd“, "host":"kabul−VirtualBox“, "pid":"1“, …. } Extracted Log Data (example) Raw Log Data Apr 9 09:37:47 kabul-VirtualBox systemd[1]: Mounted Huge Pages File System. Raw Log Data Extracted Log data 11
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: Extracted File Access events in JSON 12 Created Modified Renamed Copied Deleted
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: RDF Mapping 13 { "timestamp":"2018−04−09T07:37:47.000Z", “message”:”Mounted Huge Pages File System”, "program":"systemd“, "host":"kabul−VirtualBox“, "pid":"1“, …. } Extracted Log Data (JSON) - example { "@context":"http://w3id.orgt/contexts/syslog.jsonld", "logMessage":"Mounted Huge Pages File System", "timestamp":"2018−04−09T07:37:47.000Z", "hasProcessId":"1", "hasSeverity":{ "severityName":"notice", "severityCode":"5" }, "@type":"http://w3id.org/sepses/vocab/log/sysLog#SysLogEntry", "hasLogType":"http://example.org/system#syslog", "@id":"http://example.org/logEntry#logEntry−befd−abc", "hasProgram":{ "programName":"systemd" }, "logFilePath":"/var/log/syslog", "input":{ "type":"log" }, "originatesFrom":{ "hostName":"kabul−VirtualBox" } } ` RDF / JSON-LD Enrichment… Extracted Log data Log data In RDF Standard Mapping Language Log Vocabularies
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Example SPARQL CONSTRUCT QUERY for Event Extraction (Rename) PREFIX rdf: http://www.w3.org/1999/02/22-rdf-syntax-ns# … CONSTRUCT { ?subject fae:hasFileAccessType sys:Renamed; rdf:type fae:FileAccessEvent; fae:timestamp ?logtimestamp; fae:hasSourceFile ?sourceFile; fae:hasTargetFile ?targetFile; fae:hasSourceHost ?sourceHost; fae:hasTargetHost ?targetHost; fae:hasUser ?user .?sourceFile fae:fileName ?filename .?targetFile fae:fileName ?filename2 . ?sourceHost fae:hostName ?hostname .?targetHost fae:hostName ?hostname2 .?user fae:userName ?username .} WHERE {?s file:pathName ?filename2 . ?s file:hostName ?hostname2 . ?s file:timestamp ?logtimestamp . ?s file:userName ?username .?s file:eventName ?event2 . {SELECT * WHERE {?r file:pathName ?filename . ?r file:hostName ?hostname . ?r file:timestamp ?logtimestamp2 . ?r file:eventName ?event FILTER regex(str(?event),"moved")}} FILTER (regex(str(?event2),"created") && ?filename!=?filename2 && ?hostname=?hostname2 ) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","event"),"-renamed")) AS ?subject) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","source-file"),"-renamed")) AS ?sourceFile) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","target-file"),"-renamed")) AS ?targetFile) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","source-host"),"-renamed")) AS ?sourceHost) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","target-host"),"-renamed")) AS ?targetHost) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","user"),"-renamed")) AS ?user)} Semantic Log Processing: (High-level) Event Extraction 14 Result
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: File Access Activity Visualization 15 Event Graph Generated RDF file access events File life-cycle visualization
Prototype Implementation https://github.com/kabulkurniawan/fileAccessExtractor Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 16
Use-Case 1: Log Forensics (File Access History) Scenario: Goals: • Improve situational awareness • Correlating event sequences Analyst Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 17
Use-Case 1: Log Forensic (File Access History) Query Evaluation: Result in table: Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 18 FileServer (Linux) Workstation (Windows) Graph Visualization
Use-Case 2: Log Monitoring (Sensitive data on vulnerable hosts) Query Evaluation: Result: Goals: • Improve situational awareness • Detect malicious activities • Reduce false positive Scenario: Analyst Cybersecurity Knowledge-Base Internal Background Knowledge Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 19
Evaluation Setup: • C-Sprite as event extraction engine (3s sliding time-window every 1s) • Java-based event generator for random file activities (weighted random choices) • Report the average times over five runs for each experiment Evaluation Results: Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 20
Conclusions • We tackled current challenges in file activity monitoring and analysis interoperability, contextualization and uniform querying) with Semantic Web technologies. • We introduced a set of vocabularies. • We developed a prototype and illustrated how to monitor file system activities, trace file life-cycles, and enrich them with information to understand their context (e.g., internal and external background knowledge). • We demonstrated the applicability of the approach in two scenarios in virtual environments. • The results of our evaluation indicate that the approach can effectively extract and link micro-level operations of multiple operating systems and consolidate them in an integrated stream of semantically explicit file activity. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 21
Future work • We aim to address the accuracy and scalability limitations of the current approach • We will investigate the integration of our approach into existing standards (e.g., STIX and CASE) to increase interoperability for forensic investigation Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 22
Thank you Kabul Kurniawan Kabul.kurniawan@tuwien.ac.at twitter: kabulkurniawan Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 23
Backup Slides 24
Semantic Log Processing – RDF Mapping RML Mapping 25 @prefix rr: <http://www.w3.org/ns/r2rml#>. @prefix rml: <http://semweb.mmlab.be/ns/rml#>. @prefix cl: <http://w3id.org/sepses/vocab/log/core#>. @prefix le: <http://w3id.org/sepses/vocab/log/linux-event#>. :LogEntryMap a rr:TriplesMap; rml:logicalSource [ rml:root true; rml:source "jdbc coso"; ]; rr:subjectMap [rr:template "http://w3id.org/sepses/resource/linux-event#LogEntry-{id}"]; rr:predicateObjectMap [ rr:predicate rdf:type; rr:objectMap [rr:template "http://w3id.org/..t#LinuxEventLogEntry"]]; rr:predicateObjectMap [ rr:predicate cl:timestamp; rr:objectMap [rr:template "{@timestamp}"]]; rr:predicateObjectMap [ rr:predicate cl:message; rr:objectMap [rr:template "{message}"]]; rr:predicateObjectMap [ rr:predicate le:eventName; rr:objectMap [rr:template "{eventname}"]]; …. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan
26 • Internal Knowledge • System knowledge - Capture organization-specific concepts, assets. e.g., hosts, users and network components etc. • Event knowledge - Event definitions and associated extraction patterns.. e.g., Authentication (login, logout), File Access (created, copied, removed etc.) • External Knowledge • Cybersecurity Information: - Vulnerability information , Weaknesses, Indicators of compromise, common attack patterns.. e.g., CVE, CVSS, CPE, CWE, CAPEC etc. Conceptual Modelling – Background Knowledge Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan
27 Causal Linking of Security Event Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan
Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan • File Activity Monitoring • Mainly focus on regular expression, rule-based classification, anomaly detection, and statistical log analysis. • Focus on data exfiltration on Insider, result in high number of false positive (Hu, 2011) • Policy based operating system call provenance (Awad, 2016) • Lack of interoperability, contextualization and linking to cybersecurity information. • Limited to specific approaches e.g. exfiltration from database (Daren, 2019) • File System Ontology • File exploration based on linked data principle using NEPOMUK File Ontology (NFO) • NFS (Schand, 2010), VDB-FilePub (Shen, 2011), Semantic File System (SFS) (Mashwani, 2018) • Semantic Approach for File Access Monitoring & Forensic • Mostly do not focus on file activity monitoring and life-cycle construction in particular. • Focus on text processing while file activity is not considered (Amato, 2018) • Existing Tools & SIEM • Provide simple alerting upon suspicious activity • e.g. Solarwind Server and Application Monitor, ManageEngine DataSecurity Plus, PA File Insight, STEALTHbits File Activity Monitor, and Decision File Audit. • Existing SIEM do not specifically tackle the problem of file activity tracking • e.g. eg. LogDNA, Splunk, ElasticSearch State of The Art & Research Gaps 32

Recommended

20090701 Climate Data Staging
20090701 Climate Data Staging20090701 Climate Data Staging
20090701 Climate Data Staging
Henning Bergmeyer
 
SomeSlides
SomeSlidesSomeSlides
SomeSlides
guestd60742
 
A Data Model, Workflow, and Architecture for Integrating Data
A Data Model, Workflow, and Architecture for Integrating DataA Data Model, Workflow, and Architecture for Integrating Data
A Data Model, Workflow, and Architecture for Integrating Data
David Massart
 
A Data Ecosystem to Support Machine Learning in Materials Science
A Data Ecosystem to Support Machine Learning in Materials ScienceA Data Ecosystem to Support Machine Learning in Materials Science
A Data Ecosystem to Support Machine Learning in Materials Science
Globus
 
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUDSECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
Nexgen Technology
 
Recent Upgrades to ARM Data Transfer and Delivery Using Globus
Recent Upgrades to ARM Data Transfer and Delivery Using GlobusRecent Upgrades to ARM Data Transfer and Delivery Using Globus
Recent Upgrades to ARM Data Transfer and Delivery Using Globus
Globus
 
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Gilles Fedak
 
Health Sciences Research Informatics, Powered by Globus
Health Sciences Research Informatics, Powered by GlobusHealth Sciences Research Informatics, Powered by Globus
Health Sciences Research Informatics, Powered by Globus
Globus
 

Recommended

20090701 Climate Data Staging
20090701 Climate Data Staging20090701 Climate Data Staging
20090701 Climate Data Staging
Henning Bergmeyer
 
SomeSlides
SomeSlidesSomeSlides
SomeSlides
guestd60742
 
A Data Model, Workflow, and Architecture for Integrating Data
A Data Model, Workflow, and Architecture for Integrating DataA Data Model, Workflow, and Architecture for Integrating Data
A Data Model, Workflow, and Architecture for Integrating Data
David Massart
 
A Data Ecosystem to Support Machine Learning in Materials Science
A Data Ecosystem to Support Machine Learning in Materials ScienceA Data Ecosystem to Support Machine Learning in Materials Science
A Data Ecosystem to Support Machine Learning in Materials Science
Globus
 
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUDSECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
Nexgen Technology
 
Recent Upgrades to ARM Data Transfer and Delivery Using Globus
Recent Upgrades to ARM Data Transfer and Delivery Using GlobusRecent Upgrades to ARM Data Transfer and Delivery Using Globus
Recent Upgrades to ARM Data Transfer and Delivery Using Globus
Globus
 
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Active Data: Managing Data-Life Cycle on Heterogeneous Systems and Infrastruc...
Gilles Fedak
 
Health Sciences Research Informatics, Powered by Globus
Health Sciences Research Informatics, Powered by GlobusHealth Sciences Research Informatics, Powered by Globus
Health Sciences Research Informatics, Powered by Globus
Globus
 
Enabling Secure Data Discoverability (SC21 Tutorial)
Enabling Secure Data Discoverability (SC21 Tutorial)Enabling Secure Data Discoverability (SC21 Tutorial)
Enabling Secure Data Discoverability (SC21 Tutorial)
Globus
 
DataJournalism: How To get data and process them?
DataJournalism: How To get data and process them?DataJournalism: How To get data and process them?
DataJournalism: How To get data and process them?
Lorenzo Pellizzari
 
Provenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructureProvenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructure
Andreas Schreiber
 
XDC demo: CTA
XDC demo: CTAXDC demo: CTA
XDC demo: CTA
EOSC-hub project
 
An Empirical Evaluation of RDF Graph Partitioning Techniques
An Empirical Evaluation of RDF Graph Partitioning TechniquesAn Empirical Evaluation of RDF Graph Partitioning Techniques
An Empirical Evaluation of RDF Graph Partitioning Techniques
Adnan Akhter
 
Globus: Enabling the Open Storage Network
Globus: Enabling the Open Storage NetworkGlobus: Enabling the Open Storage Network
Globus: Enabling the Open Storage Network
Globus
 
Intro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiIntro elasticsearch taswarbhatti
Intro elasticsearch taswarbhatti
Taswar Bhatti
 
CCCB Germline Variant Analysis on Cloud Platform
CCCB Germline Variant Analysis on Cloud PlatformCCCB Germline Variant Analysis on Cloud Platform
CCCB Germline Variant Analysis on Cloud Platform
Yaoyu Wang
 
Big Data DC - Analytics at Clearspring
Big Data DC - Analytics at ClearspringBig Data DC - Analytics at Clearspring
Big Data DC - Analytics at Clearspring
abramsm
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Marco Balduzzi
 
Putting Historical Data in Context: how to use DSpace-GLAM
Putting Historical Data in Context: how to use DSpace-GLAMPutting Historical Data in Context: how to use DSpace-GLAM
Putting Historical Data in Context: how to use DSpace-GLAM
4Science
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
panagenda
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
WoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific DataWoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific Data
University of Chicago
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Environment Canada's Data Management Service
Environment Canada's Data Management ServiceEnvironment Canada's Data Management Service
Environment Canada's Data Management Service
Safe Software
 
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Kevin Mao
 
Event Processing Using Semantic Web Technologies
Event Processing Using Semantic Web TechnologiesEvent Processing Using Semantic Web Technologies
Event Processing Using Semantic Web Technologies
Mikko Rinne
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 

More Related Content

What's hot

Enabling Secure Data Discoverability (SC21 Tutorial)
Enabling Secure Data Discoverability (SC21 Tutorial)Enabling Secure Data Discoverability (SC21 Tutorial)
Enabling Secure Data Discoverability (SC21 Tutorial)
Globus
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Marco Balduzzi
 

What's hot (11)

Enabling Secure Data Discoverability (SC21 Tutorial)
Enabling Secure Data Discoverability (SC21 Tutorial)Enabling Secure Data Discoverability (SC21 Tutorial)
Enabling Secure Data Discoverability (SC21 Tutorial)
 
DataJournalism: How To get data and process them?
DataJournalism: How To get data and process them?DataJournalism: How To get data and process them?
DataJournalism: How To get data and process them?
 
Provenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructureProvenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructure
 
XDC demo: CTA
XDC demo: CTAXDC demo: CTA
XDC demo: CTA
 
An Empirical Evaluation of RDF Graph Partitioning Techniques
An Empirical Evaluation of RDF Graph Partitioning TechniquesAn Empirical Evaluation of RDF Graph Partitioning Techniques
An Empirical Evaluation of RDF Graph Partitioning Techniques
 
Globus: Enabling the Open Storage Network
Globus: Enabling the Open Storage NetworkGlobus: Enabling the Open Storage Network
Globus: Enabling the Open Storage Network
 
Intro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiIntro elasticsearch taswarbhatti
Intro elasticsearch taswarbhatti
 
CCCB Germline Variant Analysis on Cloud Platform
CCCB Germline Variant Analysis on Cloud PlatformCCCB Germline Variant Analysis on Cloud Platform
CCCB Germline Variant Analysis on Cloud Platform
 
Big Data DC - Analytics at Clearspring
Big Data DC - Analytics at ClearspringBig Data DC - Analytics at Clearspring
Big Data DC - Analytics at Clearspring
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
 
Putting Historical Data in Context: how to use DSpace-GLAM
Putting Historical Data in Context: how to use DSpace-GLAMPutting Historical Data in Context: how to use DSpace-GLAM
Putting Historical Data in Context: how to use DSpace-GLAM
 

Similar to Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach

Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
WoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific DataWoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific Data
University of Chicago
 
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Kevin Mao
 
The Discovery Cloud: Accelerating Science via Outsourcing and Automation
The Discovery Cloud: Accelerating Science via Outsourcing and AutomationThe Discovery Cloud: Accelerating Science via Outsourcing and Automation
The Discovery Cloud: Accelerating Science via Outsourcing and Automation
Ian Foster
 
Additional Data Session Statistical Data Distinguish between full.docx
Additional Data Session Statistical Data Distinguish between full.docxAdditional Data Session Statistical Data Distinguish between full.docx
Additional Data Session Statistical Data Distinguish between full.docx
write4
 
Big data & hadoop framework
Big data & hadoop frameworkBig data & hadoop framework
Big data & hadoop framework
Tu Pham
 

Similar to Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach (20)

BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
WoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific DataWoSC19: Serverless Workflows for Indexing Large Scientific Data
WoSC19: Serverless Workflows for Indexing Large Scientific Data
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
 
Environment Canada's Data Management Service
Environment Canada's Data Management ServiceEnvironment Canada's Data Management Service
Environment Canada's Data Management Service
 
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
 
Event Processing Using Semantic Web Technologies
Event Processing Using Semantic Web TechnologiesEvent Processing Using Semantic Web Technologies
Event Processing Using Semantic Web Technologies
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
2015 09 rda-pre-meeting_jk
2015 09 rda-pre-meeting_jk2015 09 rda-pre-meeting_jk
2015 09 rda-pre-meeting_jk
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
The Discovery Cloud: Accelerating Science via Outsourcing and Automation
The Discovery Cloud: Accelerating Science via Outsourcing and AutomationThe Discovery Cloud: Accelerating Science via Outsourcing and Automation
The Discovery Cloud: Accelerating Science via Outsourcing and Automation
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Additional Data Session Statistical Data Distinguish between full.docx
Additional Data Session Statistical Data Distinguish between full.docxAdditional Data Session Statistical Data Distinguish between full.docx
Additional Data Session Statistical Data Distinguish between full.docx
 
Azure: Lessons From The Field
Azure: Lessons From The FieldAzure: Lessons From The Field
Azure: Lessons From The Field
 
Metadata For Preservation Delos
Metadata For Preservation DelosMetadata For Preservation Delos
Metadata For Preservation Delos
 
Big data & hadoop framework
Big data & hadoop frameworkBig data & hadoop framework
Big data & hadoop framework
 

Recently uploaded

(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
amitlee9823
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
amitlee9823
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
Timothy Spann
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Delhi Call girls
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
Lars Albertsson
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
shivangimorya083
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
SUHANI PANDEY
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 

Recently uploaded (20)

Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFx
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 

Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach

  • 1. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach Kabul Kurniawan, Andreas Ekelhart Fajar Ekaputra, Elmar Kiesling This work was sponsored by the Austrian Science Fund (FWF) and netidee SCIENCE under grant P30437- N31, and the COMET K1 program by the Austrian Research Promotion Agency.
  • 2. Motivation • Increasing collection of sensitive data.. • the number and size of data breaches have been on the rise .. • 4.1 billion records in the first half of 2019 (Verizon) • USD 3.86 million average total cost/incident in 2020 (IBM) • Sophisticated attack tactics/techniques.. • exfiltration of sensitive data is often difficult to detect.. • 280 days on average to identify and contain a breach (IBM) 2 (External) Insider
  • 3. Challenges in Log Analysis Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 3 Dispersed ICT Asset Information Dispersed Cybersecurity information Manually searching log data and comparing related information to understand attack/event chains is a tedious & time consuming process!
  • 4. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Syntactic heterogeneity Semantic heterogeneity Inconsistent identifiers Windows Eventlog Firewall- Log Linux AuthlogLog Data HeterogeneitySyslog 4
  • 5. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan • File Activity Monitoring • Statistical analysis to identify anomalies (Hu Y., 2011) • Policy based OS call provenance for data leakage detection (Awad, 2016) • OS kernel provenance to detect exfiltration from a database (Daren, 2019) • Deep learning model to predict insider threats (Bhavsar, 2018) • File System Ontologies & Semantic Approaches for File Monitoring • TripFS : File exploration framework based on linked data using the NEPOMUK File Ontology (Schand, 2010), VDB-FilePub (Shen, 2011), Semantic File System (SFS) (Mashwani, 2018) • Existing Tools & SIEMs: Commercially tools : e.g. SolarWinds, PA File Insight, STEALTHbits File Activity Monitor, and Decision File Audit. SIEMs: e.g. LogDNA, Splunk, ElasticSearch State of The Art 5 Research Gaps: • Mainly focus on regular expression, rule-based classification, and statistical log analysis, etc. • Lack of interoperability, contextualization and linking to cybersecurity information. • Existing tools provide simple alerting upon suspicious activity. • Existing SIEMs do not specifically tackle the problem of file activity tracking.
  • 6. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Standards-based SPARQL RDF JSON-LD Graph-based flexible querying flexible schemas context-rich representation terminological clarity Explicit Semantics reasoning integration “machine-readability” Decentralization alignment linking federation reconciliation sharing 6 Semantic Web Technologies • Flexible schema for unstructured, semi-structured log data (xml, json, csv, etc.) • Semantic integration of heterogeneous security- related data (Win log, Linux Audit log, etc.) • Contextualization and linking to external & internal background knowledge (IT Assets, Cybersecurity Information, etc.) • Stream Reasoning over security-related log data (e.g. for real-time file activity monitoring) • Standard Query language for log analysis & forensic Potential solution for the security domain Addressing the current gaps in file activity monitoring & forensics
  • 7. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 7 Proposed Approach RDF/OWL Ontology: • Vocabulary (e.g. Low level Log Ontology, Event Ontology etc.) • Background Knowledge (e.g. IT Assets, Cybersecurity Information) 1. Conceptual Modelling • Log Acquisition and Extraction • Log Transformation (i.e. RDF Mapping) • Event Extraction & Linking 2. Semantic Log Processing • Event Monitoring via Semantic Continuous Querying over log streams • Log Analysis and Forensics through SPARQL-Queries 3. Semantic Log Analysis and Monitoring
  • 8. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Conceptual Modelling: Ontology Construction 8 Bottom-up approach Log Entry Ontology (e.g. Windows, Linux Log Ontology) File Operation/Access Event Ontology High-level events (output) Low – level information from log sources (e.g. Windows, Linux) (Input)
  • 9. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Conceptual Modelling : Log Entry & File Access ontology 9 Windows Log Ontology Linux Log Ontology File Access Ontology
  • 10. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan System Architecture 10
  • 11. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: Log Acquisition & Extraction { "timestamp":"2018−04−09T07:37:47.000Z", “message”:”Mounted Huge Pages File System”, "program":"systemd“, "host":"kabul−VirtualBox“, "pid":"1“, …. } Extracted Log Data (example) Raw Log Data Apr 9 09:37:47 kabul-VirtualBox systemd[1]: Mounted Huge Pages File System. Raw Log Data Extracted Log data 11
  • 12. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: Extracted File Access events in JSON 12 Created Modified Renamed Copied Deleted
  • 13. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: RDF Mapping 13 { "timestamp":"2018−04−09T07:37:47.000Z", “message”:”Mounted Huge Pages File System”, "program":"systemd“, "host":"kabul−VirtualBox“, "pid":"1“, …. } Extracted Log Data (JSON) - example { "@context":"http://w3id.orgt/contexts/syslog.jsonld", "logMessage":"Mounted Huge Pages File System", "timestamp":"2018−04−09T07:37:47.000Z", "hasProcessId":"1", "hasSeverity":{ "severityName":"notice", "severityCode":"5" }, "@type":"http://w3id.org/sepses/vocab/log/sysLog#SysLogEntry", "hasLogType":"http://example.org/system#syslog", "@id":"http://example.org/logEntry#logEntry−befd−abc", "hasProgram":{ "programName":"systemd" }, "logFilePath":"/var/log/syslog", "input":{ "type":"log" }, "originatesFrom":{ "hostName":"kabul−VirtualBox" } } ` RDF / JSON-LD Enrichment… Extracted Log data Log data In RDF Standard Mapping Language Log Vocabularies
  • 14. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Example SPARQL CONSTRUCT QUERY for Event Extraction (Rename) PREFIX rdf: http://www.w3.org/1999/02/22-rdf-syntax-ns# … CONSTRUCT { ?subject fae:hasFileAccessType sys:Renamed; rdf:type fae:FileAccessEvent; fae:timestamp ?logtimestamp; fae:hasSourceFile ?sourceFile; fae:hasTargetFile ?targetFile; fae:hasSourceHost ?sourceHost; fae:hasTargetHost ?targetHost; fae:hasUser ?user .?sourceFile fae:fileName ?filename .?targetFile fae:fileName ?filename2 . ?sourceHost fae:hostName ?hostname .?targetHost fae:hostName ?hostname2 .?user fae:userName ?username .} WHERE {?s file:pathName ?filename2 . ?s file:hostName ?hostname2 . ?s file:timestamp ?logtimestamp . ?s file:userName ?username .?s file:eventName ?event2 . {SELECT * WHERE {?r file:pathName ?filename . ?r file:hostName ?hostname . ?r file:timestamp ?logtimestamp2 . ?r file:eventName ?event FILTER regex(str(?event),"moved")}} FILTER (regex(str(?event2),"created") && ?filename!=?filename2 && ?hostname=?hostname2 ) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","event"),"-renamed")) AS ?subject) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","source-file"),"-renamed")) AS ?sourceFile) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","target-file"),"-renamed")) AS ?targetFile) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","source-host"),"-renamed")) AS ?sourceHost) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","target-host"),"-renamed")) AS ?targetHost) BIND (URI(CONCAT(REPLACE(str(?s),"LogEntry","user"),"-renamed")) AS ?user)} Semantic Log Processing: (High-level) Event Extraction 14 Result
  • 15. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan Semantic Log Processing: File Access Activity Visualization 15 Event Graph Generated RDF file access events File life-cycle visualization
  • 16. Prototype Implementation https://github.com/kabulkurniawan/fileAccessExtractor Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 16
  • 17. Use-Case 1: Log Forensics (File Access History) Scenario: Goals: • Improve situational awareness • Correlating event sequences Analyst Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 17
  • 18. Use-Case 1: Log Forensic (File Access History) Query Evaluation: Result in table: Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 18 FileServer (Linux) Workstation (Windows) Graph Visualization
  • 19. Use-Case 2: Log Monitoring (Sensitive data on vulnerable hosts) Query Evaluation: Result: Goals: • Improve situational awareness • Detect malicious activities • Reduce false positive Scenario: Analyst Cybersecurity Knowledge-Base Internal Background Knowledge Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 19
  • 20. Evaluation Setup: • C-Sprite as event extraction engine (3s sliding time-window every 1s) • Java-based event generator for random file activities (weighted random choices) • Report the average times over five runs for each experiment Evaluation Results: Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 20
  • 21. Conclusions • We tackled current challenges in file activity monitoring and analysis interoperability, contextualization and uniform querying) with Semantic Web technologies. • We introduced a set of vocabularies. • We developed a prototype and illustrated how to monitor file system activities, trace file life-cycles, and enrich them with information to understand their context (e.g., internal and external background knowledge). • We demonstrated the applicability of the approach in two scenarios in virtual environments. • The results of our evaluation indicate that the approach can effectively extract and link micro-level operations of multiple operating systems and consolidate them in an integrated stream of semantically explicit file activity. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 21
  • 22. Future work • We aim to address the accuracy and scalability limitations of the current approach • We will investigate the integration of our approach into existing standards (e.g., STIX and CASE) to increase interoperability for forensic investigation Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 22
  • 23. Thank you Kabul Kurniawan Kabul.kurniawan@tuwien.ac.at twitter: kabulkurniawan Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan 23
  • 25. Semantic Log Processing – RDF Mapping RML Mapping 25 @prefix rr: <http://www.w3.org/ns/r2rml#>. @prefix rml: <http://semweb.mmlab.be/ns/rml#>. @prefix cl: <http://w3id.org/sepses/vocab/log/core#>. @prefix le: <http://w3id.org/sepses/vocab/log/linux-event#>. :LogEntryMap a rr:TriplesMap; rml:logicalSource [ rml:root true; rml:source "jdbc coso"; ]; rr:subjectMap [rr:template "http://w3id.org/sepses/resource/linux-event#LogEntry-{id}"]; rr:predicateObjectMap [ rr:predicate rdf:type; rr:objectMap [rr:template "http://w3id.org/..t#LinuxEventLogEntry"]]; rr:predicateObjectMap [ rr:predicate cl:timestamp; rr:objectMap [rr:template "{@timestamp}"]]; rr:predicateObjectMap [ rr:predicate cl:message; rr:objectMap [rr:template "{message}"]]; rr:predicateObjectMap [ rr:predicate le:eventName; rr:objectMap [rr:template "{eventname}"]]; …. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan
  • 26. 26 • Internal Knowledge • System knowledge - Capture organization-specific concepts, assets. e.g., hosts, users and network components etc. • Event knowledge - Event definitions and associated extraction patterns.. e.g., Authentication (login, logout), File Access (created, copied, removed etc.) • External Knowledge • Cybersecurity Information: - Vulnerability information , Weaknesses, Indicators of compromise, common attack patterns.. e.g., CVE, CVSS, CPE, CWE, CAPEC etc. Conceptual Modelling – Background Knowledge Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan
  • 27. 27 Causal Linking of Security Event Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan
  • 28. Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach. Kabul Kurniawan • File Activity Monitoring • Mainly focus on regular expression, rule-based classification, anomaly detection, and statistical log analysis. • Focus on data exfiltration on Insider, result in high number of false positive (Hu, 2011) • Policy based operating system call provenance (Awad, 2016) • Lack of interoperability, contextualization and linking to cybersecurity information. • Limited to specific approaches e.g. exfiltration from database (Daren, 2019) • File System Ontology • File exploration based on linked data principle using NEPOMUK File Ontology (NFO) • NFS (Schand, 2010), VDB-FilePub (Shen, 2011), Semantic File System (SFS) (Mashwani, 2018) • Semantic Approach for File Access Monitoring & Forensic • Mostly do not focus on file activity monitoring and life-cycle construction in particular. • Focus on text processing while file activity is not considered (Amato, 2018) • Existing Tools & SIEM • Provide simple alerting upon suspicious activity • e.g. Solarwind Server and Application Monitor, ManageEngine DataSecurity Plus, PA File Insight, STEALTHbits File Activity Monitor, and Decision File Audit. • Existing SIEM do not specifically tackle the problem of file activity tracking • e.g. eg. LogDNA, Splunk, ElasticSearch State of The Art & Research Gaps 32