A Centralized System for Detecting Attacks from Windows Event Logs
5
Issued Date
2023-01-01
Resource Type
Scopus ID
2-s2.0-85162974509
Journal Title
Proceeding - 2023 International Electrical Engineering Congress, iEECON 2023
Start Page
367
End Page
371
Rights Holder(s)
SCOPUS
Bibliographic Citation
Proceeding - 2023 International Electrical Engineering Congress, iEECON 2023 (2023) , 367-371
Suggested Citation
Visoottiviseth V., Moonkhaen V. A Centralized System for Detecting Attacks from Windows Event Logs. Proceeding - 2023 International Electrical Engineering Congress, iEECON 2023 (2023) , 367-371. 371. doi:10.1109/iEECON56657.2023.10126899 Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/87766
Title
A Centralized System for Detecting Attacks from Windows Event Logs
Author(s)
Author's Affiliation
Other Contributor(s)
Abstract
Although Microsoft released Windows 10 and 11, many personal computers worldwide are still running the old Windows 7 version without installing security patches. This leads attackers to be able to exploit them. In this paper, we propose a lightweight system called SHIRO to detect Windows attacks from the Windows event logs. It aims to detect attacks on Windows 7 clients by focusing on three most critical Common Vulnerabilities Exposures (CVEs), which are CVE 2017-0143 (EternalBlue), CVE 2017-0199 (HTA), and CVE 2019-0708 (BlueKeep). To validate our proposed system, we emulate various attacks and generate datasets on each attack type. Then the log server collects Windows event logs from each client. We identify attacks by comparing logs obtained during attacks and logs obtained during normal operations. Then we develop detection signatures for each CVE from specific event IDs. Once SHIRO finds the attack signatures in the records, it identifies the attack type and alerts to the administrator. Our experiments based on both pre-generated datasets and the real-time attacks confirm that SHIRO can detect three types of attacks accurately. The experiment results prove that SHIRO is useful for the administrator to find the compromised Windows machines efficiently.