Audit Logs Management and Security - A Survey

Authors

  • Ahmad Ali COMSATS University, Islamabad, Pakistan

DOI:

https://doi.org/10.48129/kjs.v48i3.10624

Keywords:

System Protection & Security

Abstract

Audit logs are key resources that show the current state of the systems and user activities and are used for cyber forensics and maintenance. These logs are the only source that can help in finding traces of some malicious activities or troubleshooting a system failure. Insight view for trouble-free availability of computing resources and performance monitoring and meaningful forensic audit depends on the management and archival system of audit logs. These logs are prone to multidimensional threats and superusers or system administrators have unprecedented access to these logs and can alter these logs as and when required. Similarly, repudiation is another serious issue in computer forensics and non-repudiation can be provided by a secure recording of event logs. Periodic backups, encrypted data transfer, off-site storage and certificate based storage of these logs are commonly being used.  In this survey, we searched for the requirements of securing audit logs and available approaches to secure these logs. Based on the available literature, a taxonomy of audit log management is developed. We have drawn a comparison between these approaches and also highlighted the current challenges to these logs security and their available options.

References

Accorsi, R. (2010), BBox: A distributed secure log architecture, in ‘European Public Key Infrastructure

Workshop’, Springer, pp. 109–124.

Ali, A., Ahmed, M., Ilyas, M. & Kung, J. (2017), MITIS-An Insider Threats Mitigation Framework ¨

for Information Systems, in ‘International Conference on Future Data and Security Engineering’,

Springer, pp. 407–415.

Ali, A., Ahmed, M., Khan, A., Ilyas, M. & Razzaq, M. S. (2017), A trust management system model

for cloud, in ‘Networks, Computers and Communications (ISNCC), 2017 International Symposium

on’, IEEE, pp. 1–6.

Amar, M., Lemoudden, M. & El Ouahidi, B. (2016), Log file’s centralization to improve cloud security,

in ‘Cloud Computing Technologies and Applications (CloudTech), 2016 2nd International Confer?ence on’, IEEE, pp. 178–183.

Blass, E.-O. & Noubir, G. (2017), ‘Secure Logging with Crash Tolerance.’, IACR Cryptology ePrint

Archive 2017, 107.

Bonomi, F. (2011), Connected vehicles, the internet of things, and fog computing, in ‘The eighth ACM

international workshop on vehicular inter-networking (VANET), Las Vegas, USA’, pp. 13–15.

Bonomi, F., Milito, R., Zhu, J. & Addepalli, S. (2012), Fog computing and its role in the internet of

things, in ‘Proceedings of the first edition of the MCC workshop on Mobile cloud computing’,

ACM, pp. 13–16.

Boyle, B. (2015 (accessed December 20, 2016), Edge market will boost demand for micro data centers.

URL: http://www.datacenterdynamics.com/power-cooling/edge-market-will-boost-demand-for?micro-data-centers/95070

Chong, C. N., Peng, Z. & Hartel, P. H. (2003), Secure audit logging with tamper-resistant hardware, in

‘IFIP International Information Security Conference’, Springer, pp. 73–84.

Cucurull, J. & Puiggal´ı, J. (2016), Distributed immutabilization of secure logs, in ‘International Work?shop on Security and Trust Management’, Springer, pp. 122–137.

Enterprise Security (SIEM), Premium Solutions, Splunk (n.d.).

Forcher, B., Agne, S., Dengel, A., Gillmann, M. & Roth-Berghofer, T. (2011), Semantic logging: To?wards explanation-aware das, in ‘Document Analysis and Recognition (ICDAR), 2011 Interna?tional Conference on’, IEEE, pp. 1140–1144.

GFI Event Log Viewer and Analyzer, Network Monitoring and Management Software — GFI Events?Manager (n.d.). Accessed on May 10,2018.

URL: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager

Hartung, G., Kaidel, B., Koch, A., Koch, J. & Hartmann, D. (2017), Practical and Robust Secure Logging

from Fault-Tolerant Sequential Aggregate Signatures, in ‘International Conference on Provable

Security’, Springer, pp. 87–106.

Hendler, J. & Berners-Lee, T. (2010), ‘From the Semantic Web to social machines: A research challenge

for AI on the World Wide Web’, Artificial Intelligence 174(2), 156–161.

Henze, M., Wolters, B., Matzutt, R., Zimmermann, T. & Wehrle, K. (2017), Distributed con-

figuration, authorization and management in the cloud-based internet of things, in ‘Trust?com/BigDataSE/ICESS, 2017 IEEE’, IEEE, pp. 185–192.

Holt, J. E. (2006), Logcrypt: forward security and public verification for secure audit logs, in ‘Proceed?ings of the 2006 Australasian workshops on Grid computing and e-research-Volume 54’, Australian

Computer Society, Inc., pp. 203–211.

Jaquette, G. A., Jesionowski, L. G., Kulakowski, J. E. & McDowell, J. A. (n.d.), ‘Low cost tamper?resistant method for write-once read many (WORM) storage’.

Jin, H., Zhou, K. & Luo, Y. (2018), ‘A framework with data-centric accountability and auditability for

cloud storage’, The Journal of Supercomputing pp. 1–24.

Kampanakis, P. & Yavuz, A. A. (2015), ‘BAFi: a practical cryptographic secure audit logging scheme

for digital forensics’, Security and Communication Networks 8(17), 3180–3190.

Khan, A., Yaqoob, A., Sarwar, K., Tahir, M. & Ahmed, M. (2017), ‘Secure Logging as a Service Using

Reversible Watermarking’, Procedia Computer Science 110, 336–343.

Khan, M. A. & Salah, K. (2017), ‘Iot security: Review, blockchain solutions, and open challenges’,

Future Generation Computer Systems .

Khan, S., Gani, A., Wahab, A. W. A., Bagiwa, M. A., Shiraz, M., Khan, S. U., Buyya, R. & Zomaya, A. Y.

(2016), ‘Cloud log forensics: Foundations, state of the art, and future directions’, ACM Computing

Surveys (CSUR 49(1), 7.

Ko, R. K., Jagadpramana, P. & Lee, B. S. (2011), Flogger: A file-centric logger for monitoring file access

and transfers within cloud computing environments, in ‘Trust, Security and Privacy in Computing

and Communications (TrustCom), 2011 IEEE 10th International Conference on’, IEEE, pp. 765–

LOGalyze - Open Source Log Management Tool, SIEM, Log Analyzer (n.d.). Accessed on May 10,2018.

URL: http://www.logalyze.com/

Ma, D. & Tsudik, G. (2007), Forward-secure sequential aggregate authentication, in ‘Security and Pri?vacy, 2007. SP’07. IEEE Symposium on’, IEEE, pp. 86–91.

ManageEngine EventLog Analyzer - SIEM Log management software. (n.d.). Accessed on May 10,2018.

URL: https://www.manageengine.com/products/eventlog/index1.html

Okoli, C. (2015), ‘A guide to conducting a standalone systematic literature review’.

Oliner, A. & Stearley, J. (2007), What supercomputers say: A study of five system logs, in ‘Depend?able Systems and Networks, 2007. DSN’07. 37th Annual IEEE/IFIP International Conference on’,

IEEE, pp. 575–584.

OSSEC Audit Log Storage (Opensource Security (n.d.). Accessed on May 10,2018.

URL: https://www.ossec.net/

OSSIM: The Open Source SIEM — AlienVault (n.d.). Accessed on May 10,2018.

URL: https://www.alienvault.com/products/ossim

Pulls, T. & Peeters, R. (2015), Balloon: A forward-secure append-only persistent authenticated data

structure, in ‘European Symposium on Research in Computer Security’, Springer, pp. 622–641.

Qiu, L., Zhang, Y., Wang, F., Kyung, M. & Mahajan, H. R. (1985), Trusted computer system evaluation

criteria, in ‘National Computer Security Center’, Citeseer.

Rajalakshmi, J. R., Rathinraj, M. & Braveen, M. (2014), Anonymizing log management process for

secure logging in the cloud, in ‘Circuit, Power and Computing Technologies (ICCPCT), 2014 In?ternational Conference on’, IEEE, pp. 1559–1564.

Reiss, C., Tumanov, A., Ganger, G. R., Katz, R. H. & Kozuch, M. A. (2012), Heterogeneity and dynam?icity of clouds at scale: Google trace analysis, in ‘Proceedings of the Third ACM Symposium on Cloud Computing’, ACM, p. 7.

Rosenblum, M. & Ousterhout, J. K. (1992), ‘The design and implementation of a log-structured file

system’, ACM Transactions on Computer Systems (TOCS 10(1), 26–52.

Sato, T., Himura, Y. & Yasuda, Y. (2016), Evidence-based context-aware log data management for in?tegrated monitoring system, in ‘Network Operations and Management Symposium (APNOMS), 2016 18th Asia-Pacific’, IEEE, pp. 1–4.

Scarfone, K. K. & Souppaya, M. P. (2006), Guide to Computer Security Log Management, Technical

report.

Schneier, B. & Kelsey, J. (1998), Cryptographic Support for Secure Logs on Untrusted Machines., in

‘USENIX Security Symposium’, Vol. 98, pp. 53–62.

Shafiq, M. O. (2015), Semantically Formalized Logging and Advanced Analytics for Enhanced Moni?toring and Management of Large-scale Applications, PhD thesis, University of Calgary.

Shepherd, C., Akram, R. N. & Markantonakis, K. (2017), ‘EmLog: Tamper-Resistant System Logging

for Constrained Devices with TEEs’, arXiv preprint arXiv:1712.03943 .

Sinha, A., Jia, L., England, P. & Lorch, J. R. (2014), Continuous tamper-proof logging using tpm 2.0, in

‘International Conference on Trust and Trustworthy Computing’, Springer, pp. 19–36.

Soderstr ¨ om, Olof and Moradian, Esmiralda (2013), ‘Secure audit log management’, ¨ Procedia Computer

Science 22, 1249–1258.

Sokolowski, J. A. & Banks, C. M. (2015), Agent implementation for modeling insider threat, in ‘Pro?ceedings of the 2015 Winter Simulation Conference’, IEEE Press, pp. 266–275.

Stanciu, A. (n.d.), Blockchain based distributed control system for edge computing.

Stojmenovic, I. & Wen, S. (2014), The fog computing paradigm: Scenarios and security issues, in ‘Com?puter Science and Information Systems (FedCSIS), 2014 Federated Conference on’, IEEE, pp. 1–8.

Sutton, A. & Samavi, R. (2017), Blockchain Enabled Privacy Audit Logs, in ‘International Semantic

Web Conference’, Springer, pp. 645–660.

syslog-ng - Log Management Solutions (n.d.). Accessed on May 10,2018.

URL: https://syslog-ng.com/

Voas, J. & Laplante, P. (2007), ‘The services paradigm: Who can you trust?’, IT Professional 9(3), 58–61.

Von Eye, F., Schmitz, D. & Hommel, W. (2013), SLOPPI-A Framework for Secure Logging with Pri?vacy Protection and Integrity, in ‘Proceedings of the Eighth International Conference on Internet Monitoring and Protection (ICIMP’, Citeseer, pp. 14–19.

Waters, B. R., Balfanz, D., Durfee, G. & Smetters, D. K. (2004), Building an Encrypted and Searchable

Audit Log., in ‘NDSS’, Vol. 4, pp. 5–6.

Yavuz, A. A. (2018), ‘Immutable authentication and integrity schemes for outsourced databases’, IEEE

Transactions on Dependable and Secure Computing 15(1), 69–82.

Yavuz, A. A. & Ning, P. (2009), Baf: An efficient publicly verifiable secure audit logging scheme for

distributed systems, in ‘Computer Security Applications Conference, 2009. ACSAC’09. Annual’,

IEEE, pp. 219–228.

Yavuz, A. A., Ning, P. & Reiter, M. K. (2012a), ‘BAF and FI-BAF: Efficient and publicly verifiable

cryptographic schemes for secure logging in resource-constrained systems’, ACM Transactions on

Information and System Security (TISSEC 15(2), 9.

Yavuz, A. A., Ning, P. & Reiter, M. K. (2012b), Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging, in ‘International Conference on Financial Cryptography

and Data Security’, Springer, pp. 148–163.

Zawoad, S., Dutta, A. K. & Hasan, R. (2013), SecLaaS: secure logging-as-a-service for cloud forensics,

in ‘Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security’, ACM, pp. 219–230.

Zeng, L., Xiao, Y. & Chen, H. (2015), Linux auditing: overhead and adaptation, in ‘Communications

(ICC), 2015 IEEE International Conference on’, IEEE, pp. 7168–7173.

Published

24-06-2021