Audit Logs Management and Security - A Survey
Keywords:System Protection & Security
Audit logs are key resources that show the current state of the systems and user activities and are used for cyber forensics and maintenance. These logs are the only source that can help in finding traces of some malicious activities or troubleshooting a system failure. Insight view for trouble-free availability of computing resources and performance monitoring and meaningful forensic audit depends on the management and archival system of audit logs. These logs are prone to multidimensional threats and superusers or system administrators have unprecedented access to these logs and can alter these logs as and when required. Similarly, repudiation is another serious issue in computer forensics and non-repudiation can be provided by a secure recording of event logs. Periodic backups, encrypted data transfer, off-site storage and certificate based storage of these logs are commonly being used. In this survey, we searched for the requirements of securing audit logs and available approaches to secure these logs. Based on the available literature, a taxonomy of audit log management is developed. We have drawn a comparison between these approaches and also highlighted the current challenges to these logs security and their available options.
Accorsi, R. (2010), BBox: A distributed secure log architecture, in ‘European Public Key Infrastructure
Workshop’, Springer, pp. 109–124.
Ali, A., Ahmed, M., Ilyas, M. & Kung, J. (2017), MITIS-An Insider Threats Mitigation Framework ¨
for Information Systems, in ‘International Conference on Future Data and Security Engineering’,
Springer, pp. 407–415.
Ali, A., Ahmed, M., Khan, A., Ilyas, M. & Razzaq, M. S. (2017), A trust management system model
for cloud, in ‘Networks, Computers and Communications (ISNCC), 2017 International Symposium
on’, IEEE, pp. 1–6.
Amar, M., Lemoudden, M. & El Ouahidi, B. (2016), Log file’s centralization to improve cloud security,
in ‘Cloud Computing Technologies and Applications (CloudTech), 2016 2nd International Confer?ence on’, IEEE, pp. 178–183.
Blass, E.-O. & Noubir, G. (2017), ‘Secure Logging with Crash Tolerance.’, IACR Cryptology ePrint
Archive 2017, 107.
Bonomi, F. (2011), Connected vehicles, the internet of things, and fog computing, in ‘The eighth ACM
international workshop on vehicular inter-networking (VANET), Las Vegas, USA’, pp. 13–15.
Bonomi, F., Milito, R., Zhu, J. & Addepalli, S. (2012), Fog computing and its role in the internet of
things, in ‘Proceedings of the first edition of the MCC workshop on Mobile cloud computing’,
ACM, pp. 13–16.
Boyle, B. (2015 (accessed December 20, 2016), Edge market will boost demand for micro data centers.
Chong, C. N., Peng, Z. & Hartel, P. H. (2003), Secure audit logging with tamper-resistant hardware, in
‘IFIP International Information Security Conference’, Springer, pp. 73–84.
Cucurull, J. & Puiggal´ı, J. (2016), Distributed immutabilization of secure logs, in ‘International Work?shop on Security and Trust Management’, Springer, pp. 122–137.
Enterprise Security (SIEM), Premium Solutions, Splunk (n.d.).
Forcher, B., Agne, S., Dengel, A., Gillmann, M. & Roth-Berghofer, T. (2011), Semantic logging: To?wards explanation-aware das, in ‘Document Analysis and Recognition (ICDAR), 2011 Interna?tional Conference on’, IEEE, pp. 1140–1144.
GFI Event Log Viewer and Analyzer, Network Monitoring and Management Software — GFI Events?Manager (n.d.). Accessed on May 10,2018.
Hartung, G., Kaidel, B., Koch, A., Koch, J. & Hartmann, D. (2017), Practical and Robust Secure Logging
from Fault-Tolerant Sequential Aggregate Signatures, in ‘International Conference on Provable
Security’, Springer, pp. 87–106.
Hendler, J. & Berners-Lee, T. (2010), ‘From the Semantic Web to social machines: A research challenge
for AI on the World Wide Web’, Artificial Intelligence 174(2), 156–161.
Henze, M., Wolters, B., Matzutt, R., Zimmermann, T. & Wehrle, K. (2017), Distributed con-
figuration, authorization and management in the cloud-based internet of things, in ‘Trust?com/BigDataSE/ICESS, 2017 IEEE’, IEEE, pp. 185–192.
Holt, J. E. (2006), Logcrypt: forward security and public verification for secure audit logs, in ‘Proceed?ings of the 2006 Australasian workshops on Grid computing and e-research-Volume 54’, Australian
Computer Society, Inc., pp. 203–211.
Jaquette, G. A., Jesionowski, L. G., Kulakowski, J. E. & McDowell, J. A. (n.d.), ‘Low cost tamper?resistant method for write-once read many (WORM) storage’.
Jin, H., Zhou, K. & Luo, Y. (2018), ‘A framework with data-centric accountability and auditability for
cloud storage’, The Journal of Supercomputing pp. 1–24.
Kampanakis, P. & Yavuz, A. A. (2015), ‘BAFi: a practical cryptographic secure audit logging scheme
for digital forensics’, Security and Communication Networks 8(17), 3180–3190.
Khan, A., Yaqoob, A., Sarwar, K., Tahir, M. & Ahmed, M. (2017), ‘Secure Logging as a Service Using
Reversible Watermarking’, Procedia Computer Science 110, 336–343.
Khan, M. A. & Salah, K. (2017), ‘Iot security: Review, blockchain solutions, and open challenges’,
Future Generation Computer Systems .
Khan, S., Gani, A., Wahab, A. W. A., Bagiwa, M. A., Shiraz, M., Khan, S. U., Buyya, R. & Zomaya, A. Y.
(2016), ‘Cloud log forensics: Foundations, state of the art, and future directions’, ACM Computing
Surveys (CSUR 49(1), 7.
Ko, R. K., Jagadpramana, P. & Lee, B. S. (2011), Flogger: A file-centric logger for monitoring file access
and transfers within cloud computing environments, in ‘Trust, Security and Privacy in Computing
and Communications (TrustCom), 2011 IEEE 10th International Conference on’, IEEE, pp. 765–
LOGalyze - Open Source Log Management Tool, SIEM, Log Analyzer (n.d.). Accessed on May 10,2018.
Ma, D. & Tsudik, G. (2007), Forward-secure sequential aggregate authentication, in ‘Security and Pri?vacy, 2007. SP’07. IEEE Symposium on’, IEEE, pp. 86–91.
ManageEngine EventLog Analyzer - SIEM Log management software. (n.d.). Accessed on May 10,2018.
Okoli, C. (2015), ‘A guide to conducting a standalone systematic literature review’.
Oliner, A. & Stearley, J. (2007), What supercomputers say: A study of five system logs, in ‘Depend?able Systems and Networks, 2007. DSN’07. 37th Annual IEEE/IFIP International Conference on’,
IEEE, pp. 575–584.
OSSEC Audit Log Storage (Opensource Security (n.d.). Accessed on May 10,2018.
OSSIM: The Open Source SIEM — AlienVault (n.d.). Accessed on May 10,2018.
Pulls, T. & Peeters, R. (2015), Balloon: A forward-secure append-only persistent authenticated data
structure, in ‘European Symposium on Research in Computer Security’, Springer, pp. 622–641.
Qiu, L., Zhang, Y., Wang, F., Kyung, M. & Mahajan, H. R. (1985), Trusted computer system evaluation
criteria, in ‘National Computer Security Center’, Citeseer.
Rajalakshmi, J. R., Rathinraj, M. & Braveen, M. (2014), Anonymizing log management process for
secure logging in the cloud, in ‘Circuit, Power and Computing Technologies (ICCPCT), 2014 In?ternational Conference on’, IEEE, pp. 1559–1564.
Reiss, C., Tumanov, A., Ganger, G. R., Katz, R. H. & Kozuch, M. A. (2012), Heterogeneity and dynam?icity of clouds at scale: Google trace analysis, in ‘Proceedings of the Third ACM Symposium on Cloud Computing’, ACM, p. 7.
Rosenblum, M. & Ousterhout, J. K. (1992), ‘The design and implementation of a log-structured file
system’, ACM Transactions on Computer Systems (TOCS 10(1), 26–52.
Sato, T., Himura, Y. & Yasuda, Y. (2016), Evidence-based context-aware log data management for in?tegrated monitoring system, in ‘Network Operations and Management Symposium (APNOMS), 2016 18th Asia-Pacific’, IEEE, pp. 1–4.
Scarfone, K. K. & Souppaya, M. P. (2006), Guide to Computer Security Log Management, Technical
Schneier, B. & Kelsey, J. (1998), Cryptographic Support for Secure Logs on Untrusted Machines., in
‘USENIX Security Symposium’, Vol. 98, pp. 53–62.
Shafiq, M. O. (2015), Semantically Formalized Logging and Advanced Analytics for Enhanced Moni?toring and Management of Large-scale Applications, PhD thesis, University of Calgary.
Shepherd, C., Akram, R. N. & Markantonakis, K. (2017), ‘EmLog: Tamper-Resistant System Logging
for Constrained Devices with TEEs’, arXiv preprint arXiv:1712.03943 .
Sinha, A., Jia, L., England, P. & Lorch, J. R. (2014), Continuous tamper-proof logging using tpm 2.0, in
‘International Conference on Trust and Trustworthy Computing’, Springer, pp. 19–36.
Soderstr ¨ om, Olof and Moradian, Esmiralda (2013), ‘Secure audit log management’, ¨ Procedia Computer
Science 22, 1249–1258.
Sokolowski, J. A. & Banks, C. M. (2015), Agent implementation for modeling insider threat, in ‘Pro?ceedings of the 2015 Winter Simulation Conference’, IEEE Press, pp. 266–275.
Stanciu, A. (n.d.), Blockchain based distributed control system for edge computing.
Stojmenovic, I. & Wen, S. (2014), The fog computing paradigm: Scenarios and security issues, in ‘Com?puter Science and Information Systems (FedCSIS), 2014 Federated Conference on’, IEEE, pp. 1–8.
Sutton, A. & Samavi, R. (2017), Blockchain Enabled Privacy Audit Logs, in ‘International Semantic
Web Conference’, Springer, pp. 645–660.
syslog-ng - Log Management Solutions (n.d.). Accessed on May 10,2018.
Voas, J. & Laplante, P. (2007), ‘The services paradigm: Who can you trust?’, IT Professional 9(3), 58–61.
Von Eye, F., Schmitz, D. & Hommel, W. (2013), SLOPPI-A Framework for Secure Logging with Pri?vacy Protection and Integrity, in ‘Proceedings of the Eighth International Conference on Internet Monitoring and Protection (ICIMP’, Citeseer, pp. 14–19.
Waters, B. R., Balfanz, D., Durfee, G. & Smetters, D. K. (2004), Building an Encrypted and Searchable
Audit Log., in ‘NDSS’, Vol. 4, pp. 5–6.
Yavuz, A. A. (2018), ‘Immutable authentication and integrity schemes for outsourced databases’, IEEE
Transactions on Dependable and Secure Computing 15(1), 69–82.
Yavuz, A. A. & Ning, P. (2009), Baf: An efficient publicly verifiable secure audit logging scheme for
distributed systems, in ‘Computer Security Applications Conference, 2009. ACSAC’09. Annual’,
IEEE, pp. 219–228.
Yavuz, A. A., Ning, P. & Reiter, M. K. (2012a), ‘BAF and FI-BAF: Efficient and publicly verifiable
cryptographic schemes for secure logging in resource-constrained systems’, ACM Transactions on
Information and System Security (TISSEC 15(2), 9.
Yavuz, A. A., Ning, P. & Reiter, M. K. (2012b), Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging, in ‘International Conference on Financial Cryptography
and Data Security’, Springer, pp. 148–163.
Zawoad, S., Dutta, A. K. & Hasan, R. (2013), SecLaaS: secure logging-as-a-service for cloud forensics,
in ‘Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security’, ACM, pp. 219–230.
Zeng, L., Xiao, Y. & Chen, H. (2015), Linux auditing: overhead and adaptation, in ‘Communications
(ICC), 2015 IEEE International Conference on’, IEEE, pp. 7168–7173.