eAUDIT: A Fast, Scalable and Deployable Audit Data Collection System
R. Sekar, Hanke Kimm, Rohit Aich
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 4
In this IEEE S&P presentation, Hungi Kim from the Secure Systems Lab at Stony Brook University introduces **eAUDIT**, a novel system designed to overcome critical limitations in existing audit data collection mechanisms. The talk highlights how current logging solutions are fundamentally flawed, exhibiting high overhead, significant data loss, and vulnerabilities to log tampering, which severely hinder their utility in detecting and analyzing advanced persistent threats (APTs). eAUDIT proposes a robust solution built on **eBPF** (extended Berkeley Packet Filter) that dramatically improves performance, reliability, and security of audit data collection.
AI review
eAUDIT tackles the critical and long-standing problem of inadequate audit logging for APT detection by leveraging eBPF with intelligent optimizations. Its novel two-level buffering and analytical model deliver near-zero data loss, minimal overhead, and a log tamper window orders of magnitude smaller than existing solutions, making it a game-changer for forensic analysis and real-world defense.