Recently, APT attacks have frequently happened, which are increasingly complicated and more challenging for traditional security detection models. The system logs are vital for cyber security analysis mainly due to their effective reconstruction ability of system behavior. existing log collection tools built on ETW for Windows suffer from working shortages, including data loss, high overhead, and weak real-time performance. Therefore, It is still very difficult to apply ETW-based Windows tools to analyze APT attack scenarios. To address these challenges, this paper proposes an efficient and lossless kernel log collector called Kellect, which has open sourced with project at www.kellect.org. It takes extra CPU usage with only 2%-3% and about 40MB memory consumption, by dynamically optimizing the number of cache and processing threads through a multi-level cache solution. By replacing the TDH library with a sliding pointer, Kellect enhances analysis performance, achieving at least 9 times the efficiency of existing tools. Furthermore, Kellect improves compatibility with different OS versions. Additionally, Kellect enhances log semantics understanding by maintaining event mappings and application callstacks which provide more comprehensive characteristics for security behavior analysis. With plenty of experiments, Kellect demonstrates its capability to achieve non-destructive, real-time and full collection of kernel log data generated from events with a comprehensive efficiency of 9 times greater than existing tools. As a killer illustration to show how Kellect can work for APT, full data logs have been collected as a dataset Kellect4APT, generated by implementing TTPs from the latest ATT&CK. To our knowledge, it is the first open benchmark dataset representing ATT&CK technique-specific behaviors, which could be highly expected to improve more extensive research on APT study.

翻译：近年来，APT攻击频繁发生，其复杂程度日益提升，对传统安全检测模型构成更大挑战。系统日志因能有效重建系统行为，对网络安全分析至关重要。现有基于ETW的Windows日志收集工具存在数据丢失、高开销和实时性不足等缺陷，这使得基于ETW的Windows工具在分析APT攻击场景时仍面临巨大困难。为解决这些问题，本文提出一种名为Kellect的高效无损内核日志收集器，其开源项目已发布于www.kellect.org。通过多级缓存方案动态优化缓存数量与处理线程，Kellect仅额外占用2%-3%的CPU使用率和约40MB内存。通过以滑动指针替代TDH库，Kellect将分析性能提升至现有工具的至少9倍。此外，Kellect增强了对不同操作系统版本的兼容性，并通过维护事件映射与应用程序调用栈加深日志语义理解，为安全行为分析提供更全面的特征。大量实验表明，Kellect能够对事件生成的内核日志数据实现无损、实时且完整的采集，综合效率为现有工具的9倍。为展示Kellect在APT场景中的应用潜力，我们基于最新ATT&CK框架中的TTPs生成全量日志数据集Kellect4APT。据我们所知，这是首个公开的、表征ATT&CK技术级行为的基准数据集，有望显著推动APT研究的广泛进展。