A Centralized System for Detecting Attacks from Windows Event Logs
Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks fro...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Conference or Workshop Item |
| Published: |
2023
|
| Subjects: | |
| Online Access: | https://repository.li.mahidol.ac.th/handle/123456789/87766 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Mahidol University |
| id |
th-mahidol.87766 |
|---|---|
| record_format |
dspace |
| spelling |
th-mahidol.877662023-07-08T01:01:29Z A Centralized System for Detecting Attacks from Windows Event Logs Visoottiviseth V. Mahidol University Computer Science Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks from the Windows event logs. It aims to detect attacks on Windows 7 clients by focusing on three most critical Common Vulnerabilities Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (BlueKeep). To validate our proposed system, we emulate various attacks and generate datasets on each attack type. Then the log server collects Windows event logs from each client. We identify attacks by comparing logs obtained during attacks and logs obtained during normal operations. Then we develop detection signatures for each CVE from specific event IDs. Once SHIRO finds the attack signatures in the records, it identifies the attack type and alerts to the administrator. Our experiments based on both pre-generated datasets and the real-time attacks confirm that SHIRO can detect three types of attacks accurately. The experiment results prove that SHIRO is useful for the administrator to find the compromised Windows machines efficiently. 2023-07-07T18:01:29Z 2023-07-07T18:01:29Z 2023-01-01 Conference Paper Proceeding - 2023 International Electrical Engineering Congress, iEECON 2023 (2023) , 367-371 10.1109/iEECON56657.2023.10126899 2-s2.0-85162974509 https://repository.li.mahidol.ac.th/handle/123456789/87766 SCOPUS |
| institution |
Mahidol University |
| building |
Mahidol University Library |
| continent |
Asia |
| country |
Thailand Thailand |
| content_provider |
Mahidol University Library |
| collection |
Mahidol University Institutional Repository |
| topic |
Computer Science |
| spellingShingle |
Computer Science Visoottiviseth V. A Centralized System for Detecting Attacks from Windows Event Logs |
| description |
Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks from the Windows event logs. It aims to detect attacks on Windows 7 clients by focusing on three most critical Common Vulnerabilities Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (BlueKeep). To validate our proposed system, we emulate various attacks and generate datasets on each attack type. Then the log server collects Windows event logs from each client. We identify attacks by comparing logs obtained during attacks and logs obtained during normal operations. Then we develop detection signatures for each CVE from specific event IDs. Once SHIRO finds the attack signatures in the records, it identifies the attack type and alerts to the administrator. Our experiments based on both pre-generated datasets and the real-time attacks confirm that SHIRO can detect three types of attacks accurately. The experiment results prove that SHIRO is useful for the administrator to find the compromised Windows machines efficiently. |
| author2 |
Mahidol University |
| author_facet |
Mahidol University Visoottiviseth V. |
| format |
Conference or Workshop Item |
| author |
Visoottiviseth V. |
| author_sort |
Visoottiviseth V. |
| title |
A Centralized System for Detecting Attacks from Windows Event Logs |
| title_short |
A Centralized System for Detecting Attacks from Windows Event Logs |
| title_full |
A Centralized System for Detecting Attacks from Windows Event Logs |
| title_fullStr |
A Centralized System for Detecting Attacks from Windows Event Logs |
| title_full_unstemmed |
A Centralized System for Detecting Attacks from Windows Event Logs |
| title_sort |
centralized system for detecting attacks from windows event logs |
| publishDate |
2023 |
| url |
https://repository.li.mahidol.ac.th/handle/123456789/87766 |
| _version_ |
1781415841773912064 |