Sysmon Log Analysis Methods for Cyber Threat Detection

Egor V. Kostikov

Abstract


In the modern world, where cyber threats are becoming more sophisticated, the analysis of system logs plays a key role in ensuring the security of information systems. Logs provide valuable information about events occurring on the network, allowing you to detect abnormal actions that may indicate attacks or security breaches. Regular monitoring and analysis of this data helps in the rapid identification of incidents, which contributes to a prompt response and minimization of damage. In addition, system logs are an important tool for investigating incidents, allowing you to determine the causes and extent of attacks. With the constant increase in the number of cyber threats, competent log analysis is becoming vital to protect organizations and their data. Sysmon is a powerful log analysis solution that can significantly improve the security of the information infrastructure. With Sysmon, you can monitor changes in the file system, network connections, and running processes, which allows you to identify suspicious activities and anomalies. This tool integrates with SIEM systems, which simplifies data analysis and correlation. This paper is devoted to an overview of existing methods and solutions for analyzing Sysmon logs to detect malicious software


Full Text:

PDF (Russian)

References


The Hidden Costs of Cybercrime // McAfee Report, 2020

Sysmon https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon (data obrashhenija 10.05.2024)

Sysmon for Linux https://github.com/Sysinternals/SysmonForLinux (data obrashhenija 10.05.2024)

Grafiki https://github.com/lucky-luk3/Grafiki (data obrashhenija 10.05.2024)

Sysmon Threat Analysis Guide https://www.varonis.com/blog/sysmon-threat-detection-guide (data obrashhenija 10.05.2024)

Sysmon Visualizaton and Tools https://github.com/agreenjay/sysmon/tree/master (data obrashhenija 10.05.2024)

Smiliotopoulos, C.; Barmpatsalou , K.; Kambourakis, G. Revisiting the Detection of Lateral Movement through Sysmon. Appl. Sci. 2022, 12, 7746

Mitre https://attack.mitre.org/ (data obrashhenija 24.05.2024)

Python_Evtx_Analyzer https://github.com/ChristosSmiliotopoulos/Python_Evtx_Analyzer (data obrashhenija 24.05.2024)

Okada, Satoshi, et al. "Predicting and Visualizing Lateral Movements Based on ATT&CK and Quantification Theory Type 3." JCIT vol.26, no.1 2024: pp.1-14.

Landini, Gregory. “Quantification Theory in *9 of Principia Mathematica.” History and Philosophy of Logic 21, no. 1 (2000): 57–77.

A Sysmon configuration repository for everybody to customise https://github.com/olafhartong/sysmon-modular (data obrashhenija 25.05.2024)

Van Der Aalst W. et al. Process Mining manifesto //International Conference on Business Process Management. 2011. T. 99, S. 169-194.

Hasanova A.M., Intellektual'nyj analiz processov po dannym zhurnalov sobytij informacionnyh sistem // International Journal of Open Information Technologies. 2022. T. 10, # 10.

Hasanova A.M., Dunaev M.E. Primenenie tehnologii Process mining dlja vyjavlenija anomal'nyh situacij v rabote naukoemkogo oborudovanija // International Journal of Open Information Technologies. 2022. T. 9, # 8.

Mavroeidis V, Jøsang A Data-Driven Threat Hunting Using Sysmon // Proceedings of the 2nd international conference on cryptography, security and privacy. 2018. С. 82-88

Chen C, Syu G, Cai Z Analyzing System Log Based on Machine Learning Model // International Journal of Network Security. 2020. T. 22, № 6, С. 925-933.

Y. Xie, H. Zhang and M. A. Babar, "LogGD: Detecting Anomalies from System Logs with Graph Neural Networks," 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS), Guangzhou, China, 2022, pp. 299-310

Dwivedi, Vijay Prakash and Xavier Bresson. “A Generalization of Transformer Networks to Graphs.” ArXiv abs/2012.09699 (2020)

Li, Zhong and Shi, Jiayang and van Leeuwen, Matthijs, Graph Neural Networks Based Log Anomaly Detection and Explanation. Available at SSRN: https://ssrn.com/abstract=4627217 or http://dx.doi.org/10.2139/ssrn.4627217

Z. Tong, Y. Liang, C. Sun, X. Li, D. Rosenblum, and A. Lim. Digraph inception convolutional networks. Advances in neural information processing systems, 33:17907–17918, 2020.

H. M. Farooq and N. M. Otaibi, "Optimal Machine Learning Algorithms for Cyber Threat Detection," 2018 UKSim-AMSS 20th International Conference on Computer Modelling and Simulation (UKSim), Cambridge, UK, 2018, pp. 32-37, doi: 10.1109/UKSim.2018.00018.

Schölkopf, Bernhard, and Alexander J. Smola. Learning with kernels: support vector machines, regularization, optimization, and beyond. MIT press, 2002.

Magisterskaja programma “Kiberbezopasnost'” MGU-Sber https://cyber.cs.msu.ru/ (data obrashhenija 30.10.2024)

Suhomlin V. A. Koncepcija i osnovnye harakteristiki magisterskoj programmy" Kiberbezopasnost'" fakul'teta VMK MGU //International Journal of Open Information Technologies. – 2023. – T. 11. – #. 7. – S. 143-148

Roznichnaja torgovlja v cifrovoj jekonomike / V. P. Kuprijanovskij, S. A. Sinjagov, D. E. Namiot [i dr.] // International Journal of Open Information Technologies. – 2016. – T. 4, # 7. – S. 1-12. – EDN WCMIWN.

Razvitie transportno-logisticheskih otraslej Evropejskogo Sojuza: otkrytyj BIM, Internet Veshhej i kiber-fizicheskie sistemy / V. P. Kuprijanovskij, V. V. Alen'kov, A. V. Stepanenko [i dr.] // International Journal of Open Information Technologies. – 2018. – T. 6, # 2. – S. 54-100. – EDN YNIRFG.

Umnaja infrastruktura, fizicheskie i informacionnye aktivy, Smart Cities, BIM, GIS i IoT / V. P. Kuprijanovskij, V. V. Alen'kov, I. A. Sokolov [i dr.] // International Journal of Open Information Technologies. – 2017. – T. 5, # 10. – S. 55-86. – EDN ZISODV.


Refbacks

  • There are currently no refbacks.


Abava  Кибербезопасность IT Congress 2024

ISSN: 2307-8162