├── README.md
└── audit.rules_example


/README.md:
--------------------------------------------------------------------------------
  1 | # Audit log Analysis
  2 | Endpoint monitoring solutions (e.g., [Elastic](https://www.elastic.co/), [Splunk](https://docs.splunk.com/Documentation/CIM/4.20.0/User/SplunkAuditLogs)) are widely deployed in today’s enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents.
  3 | 
  4 | Note that audit logs are different from [application logs](https://github.com/logpai/awesome-log-analysis), which are generated by the application code at the developer's will. Audit logs are generated by the Operating system regardless of the application's code.
  5 | 
  6 | I highly suggest the beginners start their log analysis journey from [Backtracking intrusions](https://pdos.csail.mit.edu/6.828/2010/readings/backtracking.pdf) as this study is the pioneer at this line of research. 
  7 | 
  8 | - [Table of contents](#table-of-contents)
  9 | 	- [Dataset](#dataset)
 10 | 	- [Survey](#survey)
 11 | 	- [Definition](#definition)
 12 | 	- [Generation](#generation)
 13 | 			- [Tool](#tool)
 14 | 			- [Literature](#literature)
 15 | 	- [SIEM](#siem)
 16 | 			- [Forensic Analysis](#forensic-analysis)
 17 | 			- [Attack Detection](#attack-detection)
 18 | 			- [Evasion](#evasion)
 19 | 	- [Limitations](#limitations)
 20 | 			- [Space Overhead](#space-overhead)
 21 | 			- [Dependency Explosion](#dependency-explosion)
 22 | 	- [Query](#query)
 23 | 	- [Integrity](#integrity)
 24 | 	- [CTI](#cti)
 25 | 
 26 | ## Dataset
 27 | The [DARPA dataset](https://github.com/darpa-i2o/Transparent-Computing/blob/master/README-E3.md) is a publicly available APT attack dataset released by the DARPA Transparent Computing (TC) program. The dataset was derived from a network of hosts during a two-week-long red-team vs. blue-team adversarial Engagement.
 28 | 
 29 | ## Survey
 30 | - Threat Detection and Investigation with System-level Provenance Graphs: A Survey. Zhenyuan, et al. Computer & Security'2021 [paper](https://li-zhenyuan.github.io/files/PG_survey.pdf)
 31 | - SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions, Muhammad Adil Inam, et al. SP'2023 [paper](https://adambates.org/documents/Inam_Oakland23.pdf)
 32 | - Are we there yet? An Industrial Viewpoint on Provenance-based Endpoint Detection and Response Tools. Feng Dong, et al. CCS'2023 [paper](https://arxiv.org/pdf/2307.08349.pdf)
 33 | 
 34 | ## Definition
 35 | Every event in audit logs represents an OS-level system activity such as process creation, file access, and network connection. Here, we use read and execve activities as examples to illustrate log events.
 36 | ```
 37 | READ Event:
 38 | type=PROCTITLE msg=audit(08/26/19 20:34:53.383:98866813) : proctitle=bash 
 39 | type=SYSCALL msg=audit(08/26/19 20:34:53.383:98866813) : arch=x86_64 syscall=read success=yes exit=25 a0=0x3 a1=0x7ffedcf386a0 a2=0x80 a3=0x7fa5c53f19d0 items=0 ppid=15757 pid=30204 auid=junzeng uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts21 ses=6309 comm=service exe=/bin/dash key=(null) 
 40 | 
 41 | EXECVE Event:
 42 | type=PROCTITLE msg=audit(16/05/2019 16:18:30.752:49036555) : proctitle=ls /etc/bash_completion.d 
 43 | type=PATH msg=audit(16/05/2019 16:18:30.752:49036555) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=135768 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
 44 | type=PATH msg=audit(16/05/2019 16:18:30.752:49036555) : item=0 name=/bin/ls inode=6815827 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
 45 | type=CWD msg=audit(16/05/2019 16:18:30.752:49036555) : cwd=/home/junzeng 
 46 | type=EXECVE msg=audit(16/05/2019 16:18:30.752:49036555) : argc=2 a0=ls a1=/etc/bash_completion.d 
 47 | type=SYSCALL msg=audit(16/05/2019 16:18:30.752:49036555) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x170e168 a1=0x1847cc8 a2=0x1807008 a3=0x598 items=2 ppid=10738 pid=10739 auid=junzeng uid=junzeng gid=junzeng euid=junzeng suid=junzeng fsuid=junzeng egid=junzeng sgid=junzeng fsgid=junzeng tty=pts21 ses=287 comm=ls exe=/bin/ls key=(null)  
 48 | ```
 49 | 
 50 | ## Generation
 51 | #### Tool
 52 | - `Linux` [Auditd](https://github.com/linux-audit)/[Auditbeat](https://www.elastic.co/beats/auditbeat): kernel-level tracing facility for Linux. Here is a simplified version of [auditd rules](audit.rules_example) used in our research project [WATSON](https://www.ndss-symposium.org/wp-content/uploads/2021-549-paper.pdf).
 53 | - `Windows` [ETW](https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing): kernel-level tracing facility for Windows
 54 | - `FreeBSD` [Dtrace](https://wiki.freebsd.org/DTrace): kernel-level tracing facility for FreeBSD
 55 | 
 56 | #### Literature
 57 | - Forensix: A robust, high-performance reconstruction system. A. Goel, et al. Distributed computing systems workshops 2005 [paper](https://thefengs.com/wuchang/papers/sdcs05_forensix_full.pdf)
 58 | - PASS: Provenance-aware storage systems. K. Muniswamy-Reddy, et al. ATC'2006 [paper](https://syrah.eecs.harvard.edu/files/syrah/files/usenix06.pdf)
 59 | - Layering in provenance systems. K.-K. Muniswamy-Reddy, et al. Security'2009 [paper](https://www.usenix.org/legacy/events/usenix09/tech/full_papers/muniswamy-reddy/muniswamy-reddy.pdf)
 60 | - Trail of bytes: efficient support for forensic analysis. S. Krishnan, K. Z. Snow, and F. Monrose. CCS'2010 [paper](https://www.cs.unc.edu/~fabian/papers/trail10.pdf)
 61 | - Hi-fi: collecting high-fidelity whole-system provenance. D. J. Pohly, et al. CCS'2012 [paper](https://www.cise.ufl.edu/~butler/pubs/acsac12b.pdf)
 62 | - Spade: support for provenance auditing in distributed environments. A. Gehani and D. Tariq. International Middleware Conference 2012 [paper](http://www.csl.sri.com/users/gehani/papers/MW-2012.SPADE.pdf)
 63 | - LPM: Trustworthy whole-system provenance for the linux kernel. A. Bates. et al. Security'2015 [paper](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-bates.pdf)
 64 | - Transparent Web Service Auditing via Network Provenance Functions. A. Bates, et al. WWW'2017 [paper](https://cise.ufl.edu/~butler/pubs/www17.pdf)
 65 | - Fear and logging in the internet of things. Q. Wang, et al. NDSS'2018 [paper](http://seclab.illinois.edu/wp-content/uploads/2017/12/wang2018fear.pdf)
 66 | - Kernel-Supported Cost-Effective Audit Logging for Causality Tracking. S. Ma, et al. ATC'2018 [paper](https://www.usenix.org/system/files/conference/atc18/atc18-ma-shiqing.pdf)
 67 | - Xanthus: Push-button Orchestration of Host Provenance Data Collection. Han X., et al. P-RECS'2020 [paper](https://arxiv.org/pdf/2005.04717.pdf)
 68 | - CLARION: Sound and Clear Provenance Tracking for Microservice Deployments. Chen X. Security'2021 [paper](https://www.usenix.org/system/files/sec21-chen-xutong.pdf)
 69 | - ALASTOR: Reconstructing the Provenance of Serverless Intrusions. P. Datta., et al. Security'2022 [paper](https://adambates.org/documents/Datta_Sec22.pdf)
 70 | - ProvTalk: Towards Interpretable Multi-level Provenance Analysis in Networking Functions Virtualization (NFV). Tabiban A., et al. NDSS'2022 [paper](https://www.ndss-symposium.org/wp-content/uploads/2022-103-paper.pdf)
 71 | - Towards Efficient Auditing for Real-Time Systems. Bansal A., et al. ESORICS'2022 [paper](https://adambates.org/documents/Bansal_Esorics22.pdf)
 72 | - eAudit: A Fast, Scalable and Deployable Audit Data Collection System. R. Sekar, et al. [paper](http://seclab.cs.sunysb.edu/seclab/pubs/eaudit.pdf).
 73 | 
 74 | ## SIEM
 75 | #### Forensic Analysis
 76 | - Backtracking intrusions. King, et al. SOSP'2003 [paper](https://pdos.csail.mit.edu/6.828/2010/readings/backtracking.pdf)
 77 | - Enriching intrusion alerts through multi-host causality. S. T. King, et al. NDSS'2005 [paper](https://web.eecs.umich.edu/virtual/papers/king05.pdf)
 78 | - The taser intrusion recovery system. A. Goel, et al. ASPLOS'2005 [paper](https://dl.acm.org/doi/pdf/10.1145/1095810.1095826)
 79 | - Provenance-aware tracing ofworm break-in and contaminations: A process coloring approach. X. Jiang et al. ICDCS'2006 [paper](https://www.cs.purdue.edu/homes/dxu/pubs/ICDCS06.pdf)
 80 | - Intrusion recovery using selective re-execution. T. Kim, et al. OSDI'2010 [paper](https://people.csail.mit.edu/nickolai/papers/kim-retro.pdf)
 81 | - Integrating ids alert correlation and os-level dependency tracking. Y. Zhai, et al. Intelligence and Security Informatics 2016 [paper](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.227.5496&rep=rep1&type=pdf)
 82 | - CamFlow: Practical whole-system provenance capture. Pasquier, et al. Cloud Computing 2017 [paper](https://dl.acm.org/doi/pdf/10.1145/3127479.3129249)
 83 | - SLEUTH: Real-time attack scenario reconstruction from COTS audit data. M. N. Hossain, et al. Security'2017 [paper](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-hossain.pdf)
 84 | - Towards a timely causality analysis for enterprise security. Y. Liu, et al. NDSS'2018 [paper](https://www.princeton.edu/~pmittal/publications/priotracker-ndss18)
 85 | - LPROV: Practical Library-aware Provenance Tracing. F. Wang, et al. ACSAC'2018 [paper](https://yonghwi-kwon.github.io/data/lprov_acsac18.pdf)
 86 | - This is Why We Can't Cache Nice Things: Lightning-Fast Threat Hunting using Suspicion-Based Hierarchical Storage. W. U. Hassan, et al. ACSAC'2020 [paper](https://adambates.org/documents/Hassan_Acsac20.pdf)
 87 | - WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics. Jun Z, et al. NDSS'2021 [paper](https://www.ndss-symposium.org/wp-content/uploads/2021-549-paper.pdf)
 88 | - Forensic Analysis of Configuration-based Attacks. M. Adil Inam, et al. NDSS'2022 [paper](https://www.ndss-symposium.org/wp-content/uploads/2022-57-paper.pdf)
 89 | - Back-Propagating System Dependency Impact for Attack Investigation. PengCheng Fang, et al. Security'2022 [paper](https://www.usenix.org/system/files/sec22summer_fang.pdf)
 90 | - DEPCOMM: Graph Summarization on System Audit Logs for Attack Investigation. Zhiqiang Xu, et al. SP'2022 [paper](https://engineering.case.edu/groups/xusheng-xiao/sites/engineering.case.edu.groups.xusheng-xiao/files/docs/depcomm-ieeesp2022.pdf)
 91 | - RAPID: Real-Time Alert Investigation with Context-aware Prioritization for Efficient Threat Discovery. Yushan Liu, et al. ACSAC'2022 [paper](https://dl.acm.org/doi/pdf/10.1145/3564625.3567997)
 92 | 
 93 | #### Attack Detection
 94 | - Detecting intrusions using system calls: Alternative data models. C. Warrender, et al. SP'1999 [paper](http://wenke.gtisc.gatech.edu/ids-readings/system_call_models.pdf)
 95 | - Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach. X. Jiang, et al. ICDCS'2006 [paper](https://www.cs.purdue.edu/homes/dxu/pubs/ICDCS06.pdf)
 96 | - On the learning of system call attributes for host-based anomaly detection. G. Tandon and P. K. Chan. IJAIT'2006 [paper](https://pdfs.semanticscholar.org/1f05/969f6e72aad5e15e13df8019351085cc9683.pdf)
 97 | - Detecting insider threats in a real corporate database of computer usage activity. E. Ted, et al. KDD'2013 [paper](https://dl.acm.org/doi/pdf/10.1145/2487575.2488213)
 98 | - Malicious behavior detection using Windows audit logs. K. Berlin, et al. AISec'2015 [paper](https://arxiv.org/pdf/1506.04200.pdf)
 99 | - Detection of early-stage enterprise infection by mining large-scale log data. A. Oprea, et al. SDN'2015 [paper](https://arxiv.org/pdf/1411.5005.pdf)
100 | - Entity embedding-based anomaly detection for heterogeneous categorical events. T. Chen, et al. IJCAI'2016 [paper](https://www.ijcai.org/Proceedings/16/Papers/201.pdf)
101 | - Hercule: Attack story reconstruction via community discovery on correlated log graph, K. Pei, et al. ACSAC'2016 [paper](https://www.cs.purdue.edu/homes/dxu/pubs/HERCULE.pdf)
102 | - Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs. E. Manzoor, et al. KDD'2016 [paper](https://www.kdd.org/kdd2016/papers/files/rfp0693-manzoorA.pdf)
103 | - Efficient Discovery of Abnormal Event Sequences in Enterprise Secur. B. Dong, et al. CIKM'2017 [paper](https://dl.acm.org/doi/pdf/10.1145/3132847.3132854)
104 | - Collaborative Alert Ranking for Anomaly Detection. Y. Lin, et al. CIKM'2018 [paper](https://dl.acm.org/doi/pdf/10.1145/3269206.3272013)
105 | - Heterogeneous Graph Matching Networks for Unknown Malware Detection. S. Wang, et al. IJCAI'2019 [paper](https://www.ijcai.org/Proceedings/2019/0522.pdf)
106 | - Holmes: real-time apt detection through correlation of suspicious information flows, S. M. Milajerdi, et al. SP'2019 [paper](https://smomen2.people.uic.edu/publications/HOLMES.pdf)
107 | - Nodoze: Combatting threat alert fatigue with automated provenance triage. W. U. Hassan, et al. NDSS'2019 [paper](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_03B-1-3_UlHassan_paper.pdf)
108 | - UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. Han, Xueyuan, et al. NDSS'2020 [paper](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24046-paper.pdf)
109 | - You are what you do: Hunting stealthy malware via data provenance analysis. Wang, Qi, et al. NDSS'2020 [paper](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24167-paper.pdf)
110 | - Tactical Provenance Analysis for Endpoint Detection and Response Systems. W. U. Hassan, et al. SP'2020 [paper](https://adambates.org/documents/Hassan_Oakland20.pdf)
111 | - ATLAS: A Sequence-based Learning Approach for Attack Investigation. A. Alsaheel, et al. Security'2021 [paper](https://www.usenix.org/system/files/sec21summer_alsaheel.pdf)
112 | - SIGL: Securing Software Installations Through Deep Graph Learning. Han Xueyuan, et al. Security'2021 [paper](https://arxiv.org/pdf/2008.11533.pdf)
113 | - TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection. Hassaan Irshad, et al. Information Forensic and Security'2021 [paper](http://www.csl.sri.com/users/gehani/papers/TIFS-2021.TRACE.pdf)
114 | - ShadeWatcher: Recommendation-guided Cyber Threat Analysis using System Audit Records. Jun Zeng, et al. SP'2022 [paper](https://jun-zeng.github.io/file/shadewatcher_paper.pdf)
115 | - DISTDET: A Cost-Effective Distributed Cyber Threat Detection System. Feng Dong, et al. Security'2023 [paper](https://www.usenix.org/system/files/sec23summer_8-dong-prepub.pdf)
116 | - PROGRAPHER: An Anomaly Detection System based on Provenance GraphEmbedding. Fan Yang, et al. Security'2023 [paper](https://www.usenix.org/system/files/sec23fall-prepub-219-yang-fan.pdf)
117 | - NodLink: An Online System for Fine-Grained APT Attack Detection and Investigation. Shaofei Li, et al. NDSS'2024 [paper]()
118 | - MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. Zian Jia, et al. Security'2024 [paper](https://www.usenix.org/system/files/sec23winter-prepub-490-jia.pdf)
119 | - You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks. Rafael Uetz, et al. Security'2024 [paper](https://www.usenix.org/system/files/sec23winter-prepub-112-uetz.pdf)
120 | - KAIROS: Practical Intrusion Detection and Investigation using Whole-system Provenance. Zijun Cheng, et al. SP'2024 [paper](https://tfjmp.org/publications/2024-sp.pdf)
121 | - FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning. Mati Ur Rehman, et al. [paper](https://csdl-downloads.ieeecomputer.org/proceedings/sp/2024/3130/00/313000a139.pdf?Expires=1714898414&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jc2RsLWRvd25sb2Fkcy5pZWVlY29tcHV0ZXIub3JnL3Byb2NlZWRpbmdzL3NwLzIwMjQvMzEzMC8wMC8zMTMwMDBhMTM5LnBkZiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTcxNDg5ODQxNH19fV19&Signature=rQKAPyzR71DmOyKUIeYjmPSQPsSxVR1OKdKtWtZJqkcG81rvxXZz2yR49BqOaic08-tcU3fJdrc1CW8Nc8Y95ciTqBuMj0JLzf0~Mfq-LC7ZLXDL3QleD-rIQGMMC6d09Yn83R0JUmQsCrNcIvS2Ukt3v8730x89S0uSIKQ2d-VetAYHxQt3VtgbedLkUGuz2Z5LV7MXRBI8gb2YNu0LOOfK-XH989zaMuD~e8Ws1zkyk-A3NwnyYaHc3WTh3-CwBuSHDgTIJk0eSc2WTcWQCcND0z6-AejeYrHSZ11NIZZNaKYPIy1Ye4MbHjPzhTj96wc6vbu5I2MeNezNlS-F3w__&Key-Pair-Id=K12PMWTCQBDMDT).
122 | - R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection. Akul Goyal, et al. SP'2024 [paper](https://adambates.org/documents/Goyal_Oakland24.pdf).
123 | 
124 | #### Evasion
125 | - Sometimes, You Aren’t What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems. Akul Goyal, et al. NDSS'2023 [paper](https://adambates.org/documents/Goyal_Ndss23.pdf)
126 | - Evading Provenance-Based ML Detectors with Adversarial System Actions. Kunal Mukherjee, et al. Security'2023 [paper](https://www.usenix.org/system/files/usenixsgecurity23-mukherjee.pdf)
127 | 
128 | ## Limitations
129 | #### Space Overhead
130 | - Loggc: garbage collecting audit log. K. H. Lee, et al. CCS'2013 [paper](https://friends.cs.purdue.edu/pubs/CCS13_LogGC.pdf)
131 | - High fidelity data reduction for big data security dependency analyses. Z. Xu, et al. CCS'2016 [paper](https://kangkookjee.github.io/publications/xu-ccs2016.pdf)
132 | - Protracer: Towards practical provenance tracing by alternating between logging and tainting. S. Ma, X. Zhang, and D. Xu. NDSS 2016 [paper](https://friends.cs.purdue.edu/pubs/NDSS16.pdf)
133 | - Towards scalable cluster auditing through grammatical inference over provenance graphs. W. U. Hassan, et al. NDSS'2018 [paper](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_07B-1_Hassan_paper.pdf)
134 | - Dependence-preserving data compaction for scalable forensic analysis. M. N. Hossain, et al. Security'2018 [paper](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hossain.pdfs)
135 | - NodeMerge: Template Based Efficient Data Reduction For Big-Data Causality Analysis. Y. Tang, et al. CCS'2018 [paper](https://kangkookjee.github.io/publications/nodemerge-ccs2018.pdf)
136 | - APTrace: A Responsive System for Agile Enterprise Level Causality Analysis. Gui, et, al. ICDE'2020 [paper](https://ieeexplore.ieee.org/document/9101446/)
137 | - On the Forensic Validity of Approximated Audit Logs. N. Michael, et al. ACSAC'2020. [paper](https://adambates.org/documents/Michael_Acsac20.pdf)
138 | - Elise: A Storage Efficient Logging System Powered by Redundancy Reduction and Representation Learning. Hailun Ding, et al. Security'2021. [paper](https://www.usenix.org/system/files/sec21-ding.pdf)
139 | - SEAL: Storage-efficient Causality Analysis on Enterprise Logs with Query-friendly Compression. P. Fei, et al. Security'2021 [paper](https://www.usenix.org/system/files/sec21fall-fei.pdf) 
140 | - FAuST: Striking a Bargain between Forensic Auditing’s Security and Throughput. Muhammad Adil Inam, et al. ACSAC'2022 [paper](https://dl.acm.org/doi/pdf/10.1145/3564625.3567990)
141 | - The Case for Learned Provenance Graph Storage Systems. Hailun Ding, et al. Security'2023 [paper](https://www.usenix.org/system/files/sec23fall-prepub-330-ding-hailun.pdf)
142 | 
143 | 
144 | #### Dependency Explosion
145 | - Forensic analysis of file system intrusions using improved backtracking, S. Sitaraman and S. Venkatesan. IWIA'2005 [paper](https://dl.acm.org/doi/10.1109/IWIA.2005.9)
146 | - Panorama: capturing system-wide information flow for malware detection and analysis. H.Yin, et al. CCS'2007 [paper](http://bitblaze.cs.berkeley.edu/papers/panorama.pdf)
147 | - High accuracy attack provenance via binary-based execution partition. K. H. Lee, X. Zhang, and D. Xu. NDSS'2013 [paper](https://www.ndss-symposium.org/wp-content/uploads/2017/09/03_1_0.pdf)
148 | - Accurate, low cost and instrumentation-free security audit logging for windows. S. Ma, et al. ACSAC'2015 [paper](https://kyuhlee.github.io/publications/acsac15.pdf)
149 | - Protracer: Towards practical provenance tracing by alternating between logging and tainting. S. Ma, X. Zhang, and D. Xu. NDSS 2016 [paper](https://friends.cs.purdue.edu/pubs/NDSS16.pdf)
150 | - LDX: Causality inference by lightweight dual execution, Y. Kwon, et al. ASPLOS'2016 [paper](https://dl.acm.org/doi/pdf/10.1145/2954679.2872395)
151 | - MPI: Multiple perspective attack investigation with semantic aware execution partitioning. S. Ma, et al. Security'2017 [paper](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-ma.pdf)
152 | - Rain: Refinable attack investigation with on-demand inter-process information flow tracking. Y. Ji, et al. CCS'2017 [paper](https://iisp.gatech.edu/sites/default/files/images/rain.pdf)
153 | - Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. Y. Ji, et al. Security'2018 [paper](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-ji.pdf)
154 | - MCI: Modeling-based causality inference in audit logging for attack investigation. Y. Kwon, et al. NDSS'2018 [paper](https://weihang-wang.github.io/papers/mci_ndss18.pdf)
155 | - Propatrol: Attack investigation via extracted high-level tasks. S. M Milajerdi, et al. Information Systems Security 2018 [paper](https://arxiv.org/pdf/1810.05711.pdf)
156 | - UISCOPE: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications. Runqing Yang, et al. NDSS'2020 [paper](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24329-paper.pdf)
157 | - Omega-Log: High-fidelity attack investigation via transparent multi-layer log analysis. Hassan, Wajih Ul, et al. NDSS'2020 [paper](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24270-paper.pdf)
158 | - Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics. M. N. Hossain, et al. SP'2020 [paper](http://seclab.cs.sunysb.edu/seclab/pubs/morse20.pdf)
159 | - ALchemist: Fusing Application and Audit Logs for Precise Attack Provenance without Instrumentation. Le Yu, et al. NDSS'2021 [paper](https://www.ndss-symposium.org/wp-content/uploads/2021-445-paper.pdf)
160 | - Validating the Integrity of Audit Logs Against Execution Repartitioning Attacks. Y. Carter, et al. CCS'2021 [paper](https://dl.acm.org/doi/pdf/10.1145/3460120.3484551)
161 | - PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability. Jun and Chuqi, et al. CCS'2022 [paper](https://jun-zeng.github.io/file/palantir_paper.pdf)
162 | 
163 | ## Query
164 | - Behavior query discovery in system-generated temporal graphs. B. Zong, et al. VLDB'2015 [paper](http://www.vldb.org/pvldb/vol9/p240-zong.pdf)
165 | - AIQL: Enabling efficient attack investigation from system monitoring data. P.Gao, et al. ATC'2018 [paper](https://www.usenix.org/system/files/conference/atc18/atc18-gao.pdf)
166 | - SAQL: A stream-based query system for real-time abnormal system behavior detection. P.Gao, et al. Security'2018 [paper](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-gao_0.pdf)
167 | - Threat intelligence computing. X. Shu, et al. CCS'2018 [paper](https://dl.acm.org/doi/pdf/10.1145/3243734.3243829)
168 | - Runtime Analysis of Whole-System Provenance. T. Pasquier, et al. CCS'2018 [paper](https://arxiv.org/pdf/1808.06049.pdf)
169 | - Graalf: Supporting graphical analysis of audit logs for forensics. O. Setayeshfar, et al. arXiv'2019 [paper](https://arxiv.org/pdf/1909.00902.pdf)
170 | - Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. S. M Milajerdi, et al. CCS'2019 [paper](https://smomen2.people.uic.edu/publications/POIROT.pdf)
171 | 
172 | ## Integrity
173 | - Forward integrity for secure audit logs. M. Bellare and B. Yee. Tech. Rep. 1997 [paper](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.28.7970)
174 | - A new approach to secure logging. D. Ma and G. Tsudik. TOS'2009 [paper](https://dl.acm.org/doi/pdf/10.1145/1502777.1502779)
175 | - Efficient data structures for tamper-evident logging. S. A. Crosby and D. S. Wallach. Security'2009 [paper](https://www.usenix.org/legacy/event/sec09/tech/full_papers/crosby.pdf)
176 | - BAF: An efficient publicly verifiable secure audit logging scheme for distributed systems. A. A. Yavuz and P. Ning. ACSAC'2009 [paper](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.147.9496&rep=rep1&type=pdf)
177 | - Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. FC'2012 [paper](https://link.springer.com/chapter/10.1007/978-3-642-32946-3_12)
178 | - Sgx-log: Securing system logs with sgx. Karande, Vishal, et al. AsiaCCS'2017 [paper](https://dl.acm.org/doi/pdf/10.1145/3052973.3053034)
179 | - Practical and robust secure logging from fault-tolerant sequential aggregate signatures. G. Hartung, et al. ProvSec'2017 [paper](https://eprint.iacr.org/2017/949.pdf)
180 | - Custos: Practical tamper-evident auditing of operating systems using trusted execution. Paccagnella Riccardo, et al. NDSS'2020 [paper](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24065-paper.pdf)
181 | - Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks. Paccagnella Riccardo, et al. CCS'2020 [paper](https://www.kevliao.com/publications/kennyloggings-ccs2020.pdf)
182 | - HardLog: Practical Tamper-Proof System Auditing Using a Novel Audit Device. Adil Ahmad, et al. SP'2022 [paper](https://www.microsoft.com/en-us/research/uploads/prod/2022/04/hardlog-sp22.pdf)
183 | 
184 | ## CTI
185 | - TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources. Ghaith Husari, et al. ACSAC'2017 [paper](https://dl.acm.org/doi/abs/10.1145/3134600.3134646)
186 | - Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. S. M Milajerdi, et al. CCS'2019 [paper](https://smomen2.people.uic.edu/publications/POIROT.pdf)
187 | - Cyber Threat Intelligence Modeling Based on Heterogeneous Graph Convolutional Network. Jun Zhao, et al. RAID'2020 [paper](https://seit.egr.msu.edu/paper/raid20_CTI.pdf)
188 | - Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. Peng Gao, et al. arXiv'2020 [paper](https://arxiv.org/pdf/2010.13637.pdf)
189 | - Extractor: Extracting Attack Behavior from Threat Reports. Kiavash Satvat, et al. EuroSP'2021 [paper](https://arxiv.org/pdf/2104.08618.pdf)
190 | 


--------------------------------------------------------------------------------
/audit.rules_example:
--------------------------------------------------------------------------------
 1 | -a never,exit -S all -F subj_type=pulseaudio_t -F subj_type=ntpd_t -F subj_type=cron_t
 2 | 
 3 | ## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) 
 4 | -a never,user -F subj_type=crond_t
 5 | -a exit,never -F subj_type=crond_t
 6 | -a never,user -F subj_type=cron_t
 7 | -a exit,never -F subj_type=cron_t
 8 | -a never,exit -F dir=/var/cache
 9 | -a never,exit -F dir=/root/.cache
10 | -a never,exit -F dir=/proc
11 | 
12 | -a always,exit -S read,write,open,close,clone,fork,vfork,execve,kill,openat,sendto,recvfrom,sendfile,sendmsg,sendmmsg,recvmsg,recvmmsg,connect,socket,unlink,link,linkat,unlinkat,rmdir,mkdir,rename,pipe,pipe2,dup,dup2,getpeername,fcntl


--------------------------------------------------------------------------------