A Centralized System for Detecting Attacks from Windows Event Logs
Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks fro...
محفوظ في:
| المؤلف الرئيسي: | |
|---|---|
| مؤلفون آخرون: | |
| التنسيق: | Conference or Workshop Item |
| منشور في: |
2023
|
| الموضوعات: | |
| الوصول للمادة أونلاين: | https://repository.li.mahidol.ac.th/handle/123456789/87766 |
| الوسوم: |
إضافة وسم
لا توجد وسوم, كن أول من يضع وسما على هذه التسجيلة!
|
| الملخص: | Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks from the Windows event logs. It aims to detect attacks on Windows 7 clients by focusing on three most critical Common Vulnerabilities Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (BlueKeep). To validate our proposed system, we emulate various attacks and generate datasets on each attack type. Then the log server collects Windows event logs from each client. We identify attacks by comparing logs obtained during attacks and logs obtained during normal operations. Then we develop detection signatures for each CVE from specific event IDs. Once SHIRO finds the attack signatures in the records, it identifies the attack type and alerts to the administrator. Our experiments based on both pre-generated datasets and the real-time attacks confirm that SHIRO can detect three types of attacks accurately. The experiment results prove that SHIRO is useful for the administrator to find the compromised Windows machines efficiently. |
|---|