Shiro : a centralized system for detecting attacks from windows event logs
1
1
Issued Date
2021
Copyright Date
2021
Resource Type
Language
eng
File Type
application/pdf
No. of Pages/File Size
ixx, 90 leaves : ill.
Thematic Paper (M.Sc. (Cyber Security and Information Assurance))--Mahidol University, 2021
Thematic Paper (M.Sc. (Cyber Security and Information Assurance))--Mahidol University, 2021
Access Rights
open access
Rights
ผลงานนี้เป็นลิขสิทธิ์ของมหาวิทยาลัยมหิดล ขอสงวนไว้สำหรับเพื่อการศึกษาเท่านั้น ต้องอ้างอิงแหล่งที่มา ห้ามดัดแปลงเนื้อหา และห้ามนำไปใช้เพื่อการค้า
Rights Holder(s)
Mahidol University
Suggested Citation
Vatcharanun Moonkhaen (2021). Shiro : a centralized system for detecting attacks from windows event logs. Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/114972
Title
Shiro : a centralized system for detecting attacks from windows event logs
Author(s)
Abstract
Many organizations or companies have experienced the damages of cyberattacks leveraging the MS Windows products' vulnerabilities, especially as numerous personal computers worldwide are still running the older Windows 7 version without installing security patches, which is the weak point that can lead an attacker to exploit them. Therefore, we propose and develop our system called SHIRO for solving these problems, which is an attack detection system on the centralized log server that aims to detect and analyze the attacks on Windows 7 clients by focusing on the three most critical Common Vulnerabilities and Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (Bluekeep). To validate our proposed system, we run the experiments using the Metasploit framework to generate the datasets on each attack type, then the log server collects Event logs from clients, and we analyze the logs by comparing the datasets which are under attack with normal operations. Then, we develop the detection signatures of each CVE from the specific Event logs and their details, so once SHIRO identifies the attack signatures in the records, it identifies the attack type and alerts the administrator. Our experiments, based on both the datasets and the real-time attacks, confirm that SHIRO can detect three types of attacks accurately, making this project useful for the administrator to find out the compromised machine directly; in addition, the security issue can also be resolved by updating the security patches or installing the newer operating system versions. Regarding the implication of this thematic paper, the study of severe vulnerabilities related to the other Windows OS versions should be focused on for the next research, for example, MS Windows 10 which is at the top of the market share operating systems around the world; although it is the newest and more secure operating system, it still has critical vulnerabilities, therefore, we can use a similar method that we proposed in this project to create new detection signatures for the other attack types.
Degree Name
Master of Science
Degree Level
Master's degree
Degree Department
Faculty of Information and Communication Technology
Degree Discipline
Cyber Security and Information Assurance
Degree Grantor(s)
Mahidol University