Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis

Wenhao Liao; Jia Sun; Haiyan Wang; Zhaoquan Gu; Jianye Yang

doi:10.1007/978-981-96-0850-8_21

Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis

Wenhao Liao
, Jia Sun
, Haiyan Wang
, Zhaoquan Gu^*
, Jianye Yang

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Audit logs are crucial for revealing and tracking sophisticated cyber threats due to their abundant system-level information. However, the immense scale of logs burdens storage resources and limits their lifecycle to days, which is insufficient for tracking multi-step attacks over months or years. Although log reduction techniques that cater to cold storage can mitigate this issue, many of these are restricted to offline batch processing in data centers. This incurs significant storage and transmission costs at endpoints. Moreover, many log reduction techniques fail to yield a suitable pattern for forensic analysis, which aims to identify signs of malicious activities by scrutinizing past events. In this paper, we present Sopr, an online audit log reduction technique designed to preserve traceability. Sopr enables real-time execution of the entire process, allowing reduction to be performed on raw log data streams. Specifically, our approach can effectively reduce events that lack causal dependence and involve repeated dependency relationships. To achieve this objective, we design a dual-cache architecture that simultaneously models semantically similar files and utilizes a versioned graph to preserve causality between log events. The synergy of these two components enhances the effectiveness of Sopr in log reduction. Our experiments on the DARPA TC datasets show that Sopr can achieve comparable event reduction factor in an online fashion to state-of-the-art offline approaches. Moreover, the runtime overhead and forensic analysis validity meet the deployment requirements for real-world environments.

Original language	English
Title of host publication	Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings
Editors	Quan Z. Sheng, Xuyun Zhang, Jia Wu, Congbo Ma, Gill Dobbie, Jing Jiang, Wei Emma Zhang, Yannis Manolopoulos, Wathiq Mansoor
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	318-333
Number of pages	16
ISBN (Print)	9789819608492
DOIs	https://doi.org/10.1007/978-981-96-0850-8_21
State	Published - 2025
Externally published	Yes
Event	20th International Conference on Advanced Data Mining Applications, ADMA 2024 - Sydney, Australia Duration: 3 Dec 2024 → 5 Dec 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15392 LNAI
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th International Conference on Advanced Data Mining Applications, ADMA 2024
Country/Territory	Australia
City	Sydney
Period	3/12/24 → 5/12/24

Keywords

Forensic Analysis
Log Reduction
Provenance Graph

Access to Document

10.1007/978-981-96-0850-8_21

Cite this

Liao, W., Sun, J., Wang, H., Gu, Z., & Yang, J. (2025). Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis. In Q. Z. Sheng, X. Zhang, J. Wu, C. Ma, G. Dobbie, J. Jiang, W. E. Zhang, Y. Manolopoulos, & W. Mansoor (Eds.), Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings (pp. 318-333). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ; Vol. 15392 LNAI). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-96-0850-8_21

Liao, Wenhao ; Sun, Jia ; Wang, Haiyan et al. / Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis. Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings. editor / Quan Z. Sheng ; Xuyun Zhang ; Jia Wu ; Congbo Ma ; Gill Dobbie ; Jing Jiang ; Wei Emma Zhang ; Yannis Manolopoulos ; Wathiq Mansoor. Springer Science and Business Media Deutschland GmbH, 2025. pp. 318-333 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ).

@inproceedings{60dd3da8b1b44687af81fcbdffd570ab,

title = "Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis",

abstract = "Audit logs are crucial for revealing and tracking sophisticated cyber threats due to their abundant system-level information. However, the immense scale of logs burdens storage resources and limits their lifecycle to days, which is insufficient for tracking multi-step attacks over months or years. Although log reduction techniques that cater to cold storage can mitigate this issue, many of these are restricted to offline batch processing in data centers. This incurs significant storage and transmission costs at endpoints. Moreover, many log reduction techniques fail to yield a suitable pattern for forensic analysis, which aims to identify signs of malicious activities by scrutinizing past events. In this paper, we present Sopr, an online audit log reduction technique designed to preserve traceability. Sopr enables real-time execution of the entire process, allowing reduction to be performed on raw log data streams. Specifically, our approach can effectively reduce events that lack causal dependence and involve repeated dependency relationships. To achieve this objective, we design a dual-cache architecture that simultaneously models semantically similar files and utilizes a versioned graph to preserve causality between log events. The synergy of these two components enhances the effectiveness of Sopr in log reduction. Our experiments on the DARPA TC datasets show that Sopr can achieve comparable event reduction factor in an online fashion to state-of-the-art offline approaches. Moreover, the runtime overhead and forensic analysis validity meet the deployment requirements for real-world environments.",

keywords = "Forensic Analysis, Log Reduction, Provenance Graph",

author = "Wenhao Liao and Jia Sun and Haiyan Wang and Zhaoquan Gu and Jianye Yang",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.; 20th International Conference on Advanced Data Mining Applications, ADMA 2024 ; Conference date: 03-12-2024 Through 05-12-2024",

year = "2025",

doi = "10.1007/978-981-96-0850-8\_21",

language = "英语",

isbn = "9789819608492",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "318--333",

editor = "Sheng, \{Quan Z.\} and Xuyun Zhang and Jia Wu and Congbo Ma and Gill Dobbie and Jing Jiang and Zhang, \{Wei Emma\} and Yannis Manolopoulos and Wathiq Mansoor",

booktitle = "Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings",

address = "德国",

}

Liao, W, Sun, J, Wang, H, Gu, Z & Yang, J 2025, Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis. in QZ Sheng, X Zhang, J Wu, C Ma, G Dobbie, J Jiang, WE Zhang, Y Manolopoulos & W Mansoor (eds), Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , vol. 15392 LNAI, Springer Science and Business Media Deutschland GmbH, pp. 318-333, 20th International Conference on Advanced Data Mining Applications, ADMA 2024, Sydney, Australia, 3/12/24. https://doi.org/10.1007/978-981-96-0850-8_21

Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis. / Liao, Wenhao; Sun, Jia; Wang, Haiyan et al.
Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings. ed. / Quan Z. Sheng; Xuyun Zhang; Jia Wu; Congbo Ma; Gill Dobbie; Jing Jiang; Wei Emma Zhang; Yannis Manolopoulos; Wathiq Mansoor. Springer Science and Business Media Deutschland GmbH, 2025. p. 318-333 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ; Vol. 15392 LNAI).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis

AU - Liao, Wenhao

AU - Sun, Jia

AU - Wang, Haiyan

AU - Gu, Zhaoquan

AU - Yang, Jianye

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

PY - 2025

Y1 - 2025

N2 - Audit logs are crucial for revealing and tracking sophisticated cyber threats due to their abundant system-level information. However, the immense scale of logs burdens storage resources and limits their lifecycle to days, which is insufficient for tracking multi-step attacks over months or years. Although log reduction techniques that cater to cold storage can mitigate this issue, many of these are restricted to offline batch processing in data centers. This incurs significant storage and transmission costs at endpoints. Moreover, many log reduction techniques fail to yield a suitable pattern for forensic analysis, which aims to identify signs of malicious activities by scrutinizing past events. In this paper, we present Sopr, an online audit log reduction technique designed to preserve traceability. Sopr enables real-time execution of the entire process, allowing reduction to be performed on raw log data streams. Specifically, our approach can effectively reduce events that lack causal dependence and involve repeated dependency relationships. To achieve this objective, we design a dual-cache architecture that simultaneously models semantically similar files and utilizes a versioned graph to preserve causality between log events. The synergy of these two components enhances the effectiveness of Sopr in log reduction. Our experiments on the DARPA TC datasets show that Sopr can achieve comparable event reduction factor in an online fashion to state-of-the-art offline approaches. Moreover, the runtime overhead and forensic analysis validity meet the deployment requirements for real-world environments.

AB - Audit logs are crucial for revealing and tracking sophisticated cyber threats due to their abundant system-level information. However, the immense scale of logs burdens storage resources and limits their lifecycle to days, which is insufficient for tracking multi-step attacks over months or years. Although log reduction techniques that cater to cold storage can mitigate this issue, many of these are restricted to offline batch processing in data centers. This incurs significant storage and transmission costs at endpoints. Moreover, many log reduction techniques fail to yield a suitable pattern for forensic analysis, which aims to identify signs of malicious activities by scrutinizing past events. In this paper, we present Sopr, an online audit log reduction technique designed to preserve traceability. Sopr enables real-time execution of the entire process, allowing reduction to be performed on raw log data streams. Specifically, our approach can effectively reduce events that lack causal dependence and involve repeated dependency relationships. To achieve this objective, we design a dual-cache architecture that simultaneously models semantically similar files and utilizes a versioned graph to preserve causality between log events. The synergy of these two components enhances the effectiveness of Sopr in log reduction. Our experiments on the DARPA TC datasets show that Sopr can achieve comparable event reduction factor in an online fashion to state-of-the-art offline approaches. Moreover, the runtime overhead and forensic analysis validity meet the deployment requirements for real-world environments.

KW - Forensic Analysis

KW - Log Reduction

KW - Provenance Graph

UR - https://www.scopus.com/pages/publications/85214394627

U2 - 10.1007/978-981-96-0850-8_21

DO - 10.1007/978-981-96-0850-8_21

M3 - 会议稿件

AN - SCOPUS:85214394627

SN - 9789819608492

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 318

EP - 333

BT - Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings

A2 - Sheng, Quan Z.

A2 - Zhang, Xuyun

A2 - Wu, Jia

A2 - Ma, Congbo

A2 - Dobbie, Gill

A2 - Jiang, Jing

A2 - Zhang, Wei Emma

A2 - Manolopoulos, Yannis

A2 - Mansoor, Wathiq

PB - Springer Science and Business Media Deutschland GmbH

T2 - 20th International Conference on Advanced Data Mining Applications, ADMA 2024

Y2 - 3 December 2024 through 5 December 2024

ER -

Liao W, Sun J, Wang H, Gu Z, Yang J. Semantic-Integrated Online Audit Log Reduction for Efficient Forensic Analysis. In Sheng QZ, Zhang X, Wu J, Ma C, Dobbie G, Jiang J, Zhang WE, Manolopoulos Y, Mansoor W, editors, Advanced Data Mining and Applications - 20th International Conference, ADMA 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 318-333. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) ). doi: 10.1007/978-981-96-0850-8_21