A Centralized System for Detecting Attacks from Windows Event Logs
Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks fro...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Conference or Workshop Item |
| Published: |
2023
|
| Subjects: | |
| Online Access: | https://repository.li.mahidol.ac.th/handle/123456789/87766 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Mahidol University |
| Summary: | Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks from the Windows event logs. It aims to detect attacks on Windows 7 clients by focusing on three most critical Common Vulnerabilities Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (BlueKeep). To validate our proposed system, we emulate various attacks and generate datasets on each attack type. Then the log server collects Windows event logs from each client. We identify attacks by comparing logs obtained during attacks and logs obtained during normal operations. Then we develop detection signatures for each CVE from specific event IDs. Once SHIRO finds the attack signatures in the records, it identifies the attack type and alerts to the administrator. Our experiments based on both pre-generated datasets and the real-time attacks confirm that SHIRO can detect three types of attacks accurately. The experiment results prove that SHIRO is useful for the administrator to find the compromised Windows machines efficiently. |
|---|